styles_admin potential vulnerability

[psoTFX]

Our hearty (non) thanks to the person who released this information without bothering to contact us first (he even boasts about not informing us).

There is a potential vulnerability in admin/admin_styles.php ... while it cannot (directly) lead to damage to your board it may allow people to access other files on the operating system. Therefore you are advised to modify the file as follows:

Find:

Code: Select all

//
// Load default header
//
//
// Check if the user has cancled a confirmation message.
//
$phpbb_root_path = "./../";

$confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE;
$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE;

if (empty($HTTP_POST_VARS['send_file']))
{
	$no_page_header = ( $cancel ) ? TRUE : FALSE;
	require($phpbb_root_path . 'extension.inc');
	require('./pagestart.' . $phpEx);
}

if ($cancel)
{
	redirect('admin/' . append_sid("admin_styles.$phpEx", true));
}

Replace with:

Code: Select all

//
// Load default header
//
//
// Check if the user has cancled a confirmation message.
//
$phpbb_root_path = "./../";
require($phpbb_root_path . 'extension.inc');

$confirm = ( isset($HTTP_POST_VARS['confirm']) ) ? TRUE : FALSE;
$cancel = ( isset($HTTP_POST_VARS['cancel']) ) ? TRUE : FALSE;

$no_page_header = (!empty($HTTP_POST_VARS['send_file']) || $cancel) ? TRUE : FALSE;

require('./pagestart.' . $phpEx);

if ($cancel)
{
	redirect('admin/' . append_sid("admin_styles.$phpEx", true));
}

Feel free to let the person know how you feel about releasing vulnerability information without informing us first ... you'll find links on the securityfocus.com release:

http://www.securityfocus.com/bid/7932/credit/