Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-9034

Redirect() fails with directory traversal

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.6
    • Fix Version/s: 3.0.8-RC1
    • Component/s: Login
    • Labels:
      None
    • Environment:
      PHP Environment: All
      Database: All

      Description

      This bug is not realized in a vanilla phpBB install, but ...

      Scenario:
      MOD has a database installer located at /install_awsm_mod/index.php. That file contains a call to login_box() in the event that the user is not logged in.
      So build_url() will create S_LOGIN_ACTION as ../ucp.php?redirect=urlencode(../install_awsm/mod/index.php)

      So ucp.php passes this into meta_refresh(), which in turn calls redirect(). Redirect eventually calls

      			$page_dirs = explode('/', str_replace('\\', '/', phpbb_realpath($pathinfo['dirname'])));


      Which returns FALSE. Why? $pathinfo['dirname'] does not exist. Why?

      print($pathinfo['dirname']); // displays ../install/install_awsm_mod/index.php


      So of course, being at /ucp.php, "../" takes us out of the phpBB root, and into no-man's land.

      The resulting redirect is

      http://localhost/phpBB3/../../../../../index.php?&sid=258a07f66530b7fcedfe6c9c10bbcfd2


      (the exact number of ../ depends on how many directories from / the phpBB root is.)
      Browsers interpret this as "redirect to domain root", so http://localhost/ loads in error (in my case).

      Ideally, the redirect would work as planned, but at least a somewhat better case would be to return to the phpBB Index page.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                A_Jelly_Doughnut A_Jelly_Doughnut
                Reporter:
                A_Jelly_Doughnut A_Jelly_Doughnut
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: