Description: Correctly validate the ucp_pm_options form key This allows an attacker to load arbitrary CSS in Internet Explorer by crafting a URL with trailing paths after a PHP file (for example /path/index.php/more/path). This is only possible if the webserver configuration allows accessing PHP files in this manner. Author: Joas Schilling Origin: upstream, https://www.phpbb.com/community/viewtopic.php?f=14&t=2291456 Bug: https://tracker.phpbb.com/browse/PHPBB3-13526 Bug-Debian: https://bugs.debian.org/776699 Applied-Upstream: commit, https://github.com/phpbb/phpbb/commit/23069a13e203985ab124d1139e8de74b12778449 Reviewed-by: Andreas Fischer Last-Update: 2015-02-01 --- a/includes/ucp/ucp_pm_options.php +++ b/includes/ucp/ucp_pm_options.php @@ -29,7 +29,11 @@ // Change "full folder" setting - what to do if folder is full if (isset($_POST['fullfolder'])) { - check_form_key('ucp_pm_options', $config['form_token_lifetime'], $redirect_url); + if (!check_form_key('ucp_pm_options')) + { + trigger_error('FORM_INVALID'); + } + $full_action = request_var('full_action', 0); $set_folder_id = 0;