Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-9034

Redirect() fails with directory traversal

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.0.6
    • Fix Version/s: 3.0.8-RC1
    • Component/s: Login
    • Labels:
      None
    • Environment:
      PHP Environment: All
      Database: All

      Description

      This bug is not realized in a vanilla phpBB install, but ...

      Scenario:
      MOD has a database installer located at /install_awsm_mod/index.php. That file contains a call to login_box() in the event that the user is not logged in.
      So build_url() will create S_LOGIN_ACTION as ../ucp.php?redirect=urlencode(../install_awsm/mod/index.php)

      So ucp.php passes this into meta_refresh(), which in turn calls redirect(). Redirect eventually calls

      			$page_dirs = explode('/', str_replace('\\', '/', phpbb_realpath($pathinfo['dirname'])));


      Which returns FALSE. Why? $pathinfo['dirname'] does not exist. Why?

      print($pathinfo['dirname']); // displays ../install/install_awsm_mod/index.php


      So of course, being at /ucp.php, "../" takes us out of the phpBB root, and into no-man's land.

      The resulting redirect is

      http://localhost/phpBB3/../../../../../index.php?&sid=258a07f66530b7fcedfe6c9c10bbcfd2


      (the exact number of ../ depends on how many directories from / the phpBB root is.)
      Browsers interpret this as "redirect to domain root", so http://localhost/ loads in error (in my case).

      Ideally, the redirect would work as planned, but at least a somewhat better case would be to return to the phpBB Index page.

      1. bug-56965.diff
        0.6 kB
        A_Jelly_Doughnut

        Issue Links

          Activity

          Hide
          A_Jelly_Doughnut A_Jelly_Doughnut added a comment -

          Proposed patch:

          Show
          A_Jelly_Doughnut A_Jelly_Doughnut added a comment - Proposed patch:
          Hide
          bantu Andreas Fischer added a comment -

          r10536 is currupted, you cannot use "break;" there, since there is no loop. "return;", maybe?

          Show
          bantu Andreas Fischer added a comment - r10536 is currupted, you cannot use "break;" there, since there is no loop. "return;", maybe?
          Hide
          A_Jelly_Doughnut A_Jelly_Doughnut added a comment -

          Another test case from nickvergessen: http://www.phpbb.com/bugs/phpbb3/58345

          Show
          A_Jelly_Doughnut A_Jelly_Doughnut added a comment - Another test case from nickvergessen: http://www.phpbb.com/bugs/phpbb3/58345
          Hide
          A_Jelly_Doughnut A_Jelly_Doughnut added a comment -

          I cannot reproduce the problem, and no one has said they can either in a large number of weeks, so I'm re-closing the ticket.

          Show
          A_Jelly_Doughnut A_Jelly_Doughnut added a comment - I cannot reproduce the problem, and no one has said they can either in a large number of weeks, so I'm re-closing the ticket.

            People

            • Assignee:
              A_Jelly_Doughnut A_Jelly_Doughnut
              Reporter:
              A_Jelly_Doughnut A_Jelly_Doughnut
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development