[PHPBB3-16918] phpBB circumvents http>https redirection

XML

Word

Printable

Details

Type: Security Issue
Status: Closed (View Workflow)
Priority: Major
Resolution: Invalid
Affects Version/s: 3.3.5
Fix Version/s: None
Component/s: Authentication
Labels:
- https
Environment:
I am using the latest release version of phpBB on an Apache server

Description

I am using a simple HTTP to HTTPS redirect on my website through .htaccess in the root directory. My phpBB3 forum is installed in a subdirectory and has its own .htaccess file that comes in with the installation.

The problem is that phpBB's htaccess file seems to overwrite the simple redirect I have in my root directory:

RewriteCond %{HTTP_HOST} ^example\.com [NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://example.com/$1 [R,L]

As a result, the boards can be browsed using the HTTP protocol which is unsecure - especially when there are internal links on the forums.

I think HTTP authentication should be blocked altogether, especially if SSL is enabled in the forum options. It's very easy to check if the user is connected through HTTPS using PHP.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: dopeman69

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 27/Nov/21 8:46 AM

Updated:: 08/Dec/21 3:04 PM

Resolved:: 27/Nov/21 1:12 PM