Page 1 of 1
Bug report: Trailing slash on forum spy URL causes error
Posted: 16 Feb 2015, 14:32
by scottc
(not sure if this is the right place to report this, but wasn't sure where else to try)
http://deskthority.net/spy.php/ returns the following: "Trailing paths and PATH_INFO is not supported by phpBB 3.0"
http://deskthority.net/spy.php works correctly.
Posted: 16 Feb 2015, 14:45
by Halvar
I think that's by design. There's never supposed to be a slash behind ".php" or ".html".
Posted: 16 Feb 2015, 14:56
by scottc
That's true, but I still find it strange that it worked before the phpBB upgrade. Seems like a strange thing to have changed in a minor release.
Posted: 16 Feb 2015, 15:12
by webwit
It was a
security fix:
The second issue, reported to us by James Kettle, allows an attacker to load arbitrary CSS in Internet Explorer by crafting a URL with trailing paths after a PHP file (for example /path/index.php/more/path). This is only possible if the webserver configuration allows accessing PHP files in this manner. This can be exploited directly on Internet Explorer 7 or below, and on newer versions of Internet Explorer by using a frame that forces outdated rendering behavior.
Tracker:
https://tracker.phpbb.com/browse/PHPBB3-13531
Posted: 16 Feb 2015, 15:16
by scottc
Ah, right, thanks webwit. Now all I need to do is rewrite my browser history because the version with the trailing slash is for some reason the most used...
Posted: 16 Feb 2015, 16:24
by Muirium
Even after all these years, Internet Explorer is still beautiful…
(Says the Mac user, who got off at Windows 2000.)