Linked ticket with changeset: r10536
Action performed by A_Jelly_Doughnut (MOD Team Member) on Feb 25th 2010, 00:18
Scenario:
MOD has a database installer located at /install_awsm_mod/index.php. That file contains a call to login_box() in the event that the user is not logged in.
So build_url() will create S_LOGIN_ACTION as ../ucp.php?redirect=urlencode(../install_awsm/mod/index.php)
So ucp.php passes this into meta_refresh(), which in turn calls redirect(). Redirect eventually calls
- Code: Select all
$page_dirs = explode('/', str_replace('\\', '/', phpbb_realpath($pathinfo['dirname'])));
Which returns FALSE. Why? $pathinfo['dirname'] does not exist. Why?
- Code: Select all
print($pathinfo['dirname']); // displays ../install/install_awsm_mod/index.php
So of course, being at /ucp.php, "../" takes us out of the phpBB root, and into no-man's land.
The resulting redirect is
- Code: Select all
http://localhost/phpBB3/../../../../../index.php?&sid=258a07f66530b7fcedfe6c9c10bbcfd2
(the exact number of ../ depends on how many directories from / the phpBB root is.)
Browsers interpret this as "redirect to domain root", so http://localhost/ loads in error (in my case).
Ideally, the redirect would work as planned, but at least a somewhat better case would be to return to the phpBB Index page.
