summaryrefslogtreecommitdiff
path: root/debian/patches/fix_CVE-2015-1432.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/fix_CVE-2015-1432.patch')
-rw-r--r--debian/patches/fix_CVE-2015-1432.patch27
1 files changed, 27 insertions, 0 deletions
diff --git a/debian/patches/fix_CVE-2015-1432.patch b/debian/patches/fix_CVE-2015-1432.patch
new file mode 100644
index 0000000..07a9592
--- /dev/null
+++ b/debian/patches/fix_CVE-2015-1432.patch
@@ -0,0 +1,27 @@
+Description: Correctly validate the ucp_pm_options form key
+ This allows an attacker to load arbitrary CSS in Internet Explorer by
+ crafting a URL with trailing paths after a PHP file (for example
+ /path/index.php/more/path). This is only possible if the webserver
+ configuration allows accessing PHP files in this manner.
+Author: Joas Schilling <nickvergessen@gmx.de>
+Origin: upstream, https://www.phpbb.com/community/viewtopic.php?f=14&t=2291456
+Bug: https://tracker.phpbb.com/browse/PHPBB3-13526
+Bug-Debian: https://bugs.debian.org/776699
+Applied-Upstream: commit, https://github.com/phpbb/phpbb/commit/23069a13e203985ab124d1139e8de74b12778449
+Reviewed-by: Andreas Fischer <bantu@phpbb.com>
+Last-Update: 2015-02-01
+--- a/includes/ucp/ucp_pm_options.php
++++ b/includes/ucp/ucp_pm_options.php
+@@ -29,7 +29,11 @@
+ // Change "full folder" setting - what to do if folder is full
+ if (isset($_POST['fullfolder']))
+ {
+- check_form_key('ucp_pm_options', $config['form_token_lifetime'], $redirect_url);
++ if (!check_form_key('ucp_pm_options'))
++ {
++ trigger_error('FORM_INVALID');
++ }
++
+ $full_action = request_var('full_action', 0);
+
+ $set_folder_id = 0;