Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-10035

ACP template edit feature allows to read any files on webserver and to upload/execute any script on it

    Details

    • Type: Bug
    • Status: Unverified Fix
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.8
    • Fix Version/s: 3.0.9-RC1
    • Component/s: ACP
    • Labels:
      None

      Description

      When you're going to edit any template file with ACP/Styles/Templates -> edit feature, you can access any files on webserver by replacing the value for name=template_file in form input tag with any path going upwards, like

      ..../..../..../index.php

      and so on.
      As a result you can read any files (imagine config.php) as well as write any custom code (including shells/etc) into writable directories like /cache.
      The problematic code is in includes/acp/acp_styles.php, function edit_template():

      // make sure template_file path doesn't go upwards
      $template_file = str_replace('..', '.', $template_file);

      which doesn't really make its job since ..../ is being replaced with ../ and hence allows you to go directory upwards anyway.

      Never let your co-admins (who doesn't have founder permissions / ftp access) to use ACP template edit feature until this bug is unfixed

        Activity

        Hide
        bantu Andreas Fischer added a comment -

        Well ... yes. This is why the constant PHPBB_DISABLE_ACP_EDITOR has been added.

        Show
        bantu Andreas Fischer added a comment - Well ... yes. This is why the constant PHPBB_DISABLE_ACP_EDITOR has been added.
        Hide
        rxu Ruslan Uzdenov added a comment -

        I've decided just to use preg_replace instead of str_replace.

        Show
        rxu Ruslan Uzdenov added a comment - I've decided just to use preg_replace instead of str_replace.
        Hide
        Oleg Oleg [X] (Inactive) added a comment - - edited

        Patch looks good.

        I might suggest aborting with an error message if unacceptable path is passed instead of just silently correcting it.

        Show
        Oleg Oleg [X] (Inactive) added a comment - - edited Patch looks good. I might suggest aborting with an error message if unacceptable path is passed instead of just silently correcting it.

          People

          • Assignee:
            rxu Ruslan Uzdenov
            Reporter:
            rxu Ruslan Uzdenov
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development