summaryrefslogtreecommitdiff
path: root/debian/patches/fix_CVE-2015-1432.patch
blob: 07a9592a25b3a3e791e7b9dbba85a640a502117f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Description: Correctly validate the ucp_pm_options form key
 This allows an attacker to load arbitrary CSS in Internet Explorer by
 crafting a URL with trailing paths after a PHP file (for example
 /path/index.php/more/path). This is only possible if the webserver
 configuration allows accessing PHP files in this manner.
Author: Joas Schilling <nickvergessen@gmx.de>
Origin: upstream, https://www.phpbb.com/community/viewtopic.php?f=14&t=2291456
Bug: https://tracker.phpbb.com/browse/PHPBB3-13526
Bug-Debian: https://bugs.debian.org/776699
Applied-Upstream: commit, https://github.com/phpbb/phpbb/commit/23069a13e203985ab124d1139e8de74b12778449
Reviewed-by: Andreas Fischer <bantu@phpbb.com>
Last-Update: 2015-02-01
--- a/includes/ucp/ucp_pm_options.php
+++ b/includes/ucp/ucp_pm_options.php
@@ -29,7 +29,11 @@
 	// Change "full folder" setting - what to do if folder is full
 	if (isset($_POST['fullfolder']))
 	{
-		check_form_key('ucp_pm_options', $config['form_token_lifetime'], $redirect_url);
+		if (!check_form_key('ucp_pm_options'))
+		{
+			trigger_error('FORM_INVALID');
+		}
+
 		$full_action = request_var('full_action', 0);
 
 		$set_folder_id = 0;