Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-15945

Allow redirection to subdomains based on cookie domain

    Details

    • Type: Improvement
    • Status: Patch Awaiting Review (View Workflow)
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 3.2.3, 3.2.4, 3.2.5
    • Fix Version/s: None
    • Component/s: Login
    • Labels:
    • Environment:
      PHP 7.2.13

      Description

      Background:

      In includes/functions.php there exists code to prevent redirecting to domains outside of the scope of the phpBB installation. However, the code prevents redirecting to subdomains and www/non-www domains.

      I believe there needs to be a means to allow redirecting to any domain / subdomain that is covered by the phpBB cookie set. For example with the following cookie settings:

      Cookie Domain: .domain.com
      phpBB Installation: forum.domain.com
      Main Site: www.domain.com

      If I setup a redirect outside of the subdomain, phpBB will prevent this in an effort to block malicious redirecting. However, I think it fair that phpBB should allow a redirect to anywhere where the phpBB cookie is valid.

       

      Potential Fix:

      This can be fixed in the includes/functions.php file, by modifying the redirect function. The easiest, but perhaps not the most elegant solution is to compare the $url_parts['host'] (the requested redirect's host name) to $config['cookie_domain'] (the specified cookie domain).

      There are generally 4 configurations for the cookie domain:

      The redirect function would need to compare the ending of the requested redirection host to see if it qualifies as a valid redirection domain.

      An empty cookie domain skips and fails the test.

      A cookie domain that does or does not start with the dot can match a redirection domain that is exactly equal to domain.com, or has a subdomain + domain.com.

      If the cookie domain specifies either www or a subdomain, the redirection domain must match exactly.

       

      Code Example:

      This code seems to work with the above conditions. Though it isn't very elegant and merely skips any other redirect checks if it is successful.

      if (!$disable_cd_check && !empty($config['cookie_domain']) && !empty($url_parts['host']))
      {
      	if (strpos($config['cookie_domain'], '.') === 0 && substr($url_parts['host'], -strlen($config['cookie_domain'])) !== $config['cookie_domain'] && substr($config['cookie_domain'], 1) !== $url_parts['host'])
      	{
      		trigger_error('INSECURE_REDIRECT', E_USER_WARNING);				
      	}
      	else if (strpos($config['cookie_domain'], '.') !== 0 && substr($url_parts['host'], -strlen($config['cookie_domain'])-1) !== '.' . $config['cookie_domain'] && $url_parts['host'] !== $config['cookie_domain'])
      	{
      		trigger_error('INSECURE_REDIRECT', E_USER_WARNING);
      	}
      	else
      	{
      		//Passes cookie check
      		$disable_cd_check = true;	
      	}
      }

      The variable $config needs to be set as a global for the redirect function.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              Ectoman AJ Quick
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: