Medium severity6.1NVD Advisory· Published Sep 19, 2017· Updated May 13, 2026
CVE-2015-3880
CVE-2015-3880
Description
Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x before 3.1.4 allows remote attackers to redirect users of Google Chrome to arbitrary web sites and conduct phishing attacks via unspecified vectors.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
phpbb/phpbbPackagist | < 3.0.14 | 3.0.14 |
phpbb/phpbbPackagist | >= 3.1.0, < 3.1.4 | 3.1.4 |
Affected products
23cpe:2.3:a:phpbb:phpbb:3.1.0:*:*:*:*:*:*:*+ 22 more
- cpe:2.3:a:phpbb:phpbb:3.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:phpbb:phpbb:3.1.0:a1:*:*:*:*:*:*
- cpe:2.3:a:phpbb:phpbb:3.1.0:a2:*:*:*:*:*:*
- cpe:2.3:a:phpbb:phpbb:3.1.0:a3:*:*:*:*:*:*
- cpe:2.3:a:phpbb:phpbb:3.1.0:b1:*:*:*:*:*:*
- cpe:2.3:a:phpbb:phpbb:3.1.0:b2:*:*:*:*:*:*
- cpe:2.3:a:phpbb:phpbb:3.1.0:b3:*:*:*:*:*:*
- cpe:2.3:a:phpbb:phpbb:3.1.0:b4:*:*:*:*:*:*
- cpe:2.3:a:phpbb:phpbb:3.1.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpbb:phpbb:3.1.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:phpbb:phpbb:3.1.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:phpbb:phpbb:3.1.0:rc4:*:*:*:*:*:*
- cpe:2.3:a:phpbb:phpbb:3.1.0:rc5:*:*:*:*:*:*
- cpe:2.3:a:phpbb:phpbb:3.1.0:rc6:*:*:*:*:*:*
- cpe:2.3:a:phpbb:phpbb:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:phpbb:phpbb:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:phpbb:phpbb:3.1.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpbb:phpbb:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:phpbb:phpbb:3.1.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpbb:phpbb:3.1.3:rc2:*:*:*:*:*:*
- cpe:2.3:a:phpbb:phpbb:3.1.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:phpbb:phpbb:3.1.4:rc2:*:*:*:*:*:*
- cpe:2.3:a:phpbb:phpbb:*:rc1:*:*:*:*:*:*range: <=3.0.14
Patches
2c1702b8e19a6Merge remote-tracking branch 'phpbb-security/ticket/security-180-asc' into prep-release-3.1.4
2 files changed · +10 −5
phpBB/includes/functions.php+2 −2 modified@@ -2309,7 +2309,7 @@ function redirect($url, $return = false, $disable_cd_check = false) // Attention: only able to redirect within the same domain if $disable_cd_check is false (yourdomain.com -> www.yourdomain.com will not work) if (!$disable_cd_check && $url_parts['host'] !== $user->host) { - $url = generate_board_url(); + trigger_error('INSECURE_REDIRECT', E_USER_ERROR); } } else if ($url[0] == '/') @@ -2347,7 +2347,7 @@ function redirect($url, $return = false, $disable_cd_check = false) // Clean URL and check if we go outside the forum directory $url = $phpbb_path_helper->clean_url($url); - if (!$disable_cd_check && strpos($url, generate_board_url(true)) === false) + if (!$disable_cd_check && strpos($url, generate_board_url(true) . '/') !== 0) { trigger_error('INSECURE_REDIRECT', E_USER_ERROR); }
tests/security/redirect_test.php+8 −3 modified@@ -23,9 +23,9 @@ public function provider() { // array(Input -> redirect(), expected triggered error (else false), expected returned result url (else false)) return array( - array('data://x', false, false, 'http://localhost/phpBB'), + array('data://x', false, 'INSECURE_REDIRECT', false), array('bad://localhost/phpBB/index.php', false, 'INSECURE_REDIRECT', false), - array('http://www.otherdomain.com/somescript.php', false, false, 'http://localhost/phpBB'), + array('http://www.otherdomain.com/somescript.php', false, 'INSECURE_REDIRECT', false), array("http://localhost/phpBB/memberlist.php\n\rConnection: close", false, 'INSECURE_REDIRECT', false), array('javascript:test', false, false, 'http://localhost/phpBB/javascript:test'), array('http://localhost/phpBB/index.php;url=', false, 'INSECURE_REDIRECT', false), @@ -51,6 +51,11 @@ public function provider() array('../index.php', false, false, 'http://localhost/index.php'), array('../index.php', true, false, 'http://localhost/index.php'), array('./index.php', false, false, 'http://localhost/phpBB/index.php'), + array('https://foobar.com\@http://localhost/phpBB', false, 'INSECURE_REDIRECT', false), + array('https://foobar.com\@localhost/troll/http://localhost/', false, 'INSECURE_REDIRECT', false), + array('http://localhost.foobar.com\@localhost/troll/http://localhost/', false, 'INSECURE_REDIRECT', false), + array('http://localhost/phpBB', false, false, 'http://localhost/phpBB'), + array('http://localhost/phpBB/', false, false, 'http://localhost/phpBB/'), ); } @@ -105,7 +110,7 @@ public function test_redirect($test, $disable_cd_check, $expected_error, $expect if ($expected_error !== false) { - $this->setExpectedTriggerError(E_USER_ERROR, $expected_error); + $this->setExpectedTriggerError(E_USER_ERROR, $user->lang[$expected_error]); } $result = redirect($test, true, $disable_cd_check);
1a3350619f42Merge remote-tracking branch 'phpbb-security/ticket/security-180' into prep-release-3.0.14
2 files changed · +14 −3
phpBB/includes/functions.php+7 −1 modified@@ -2492,7 +2492,7 @@ function redirect($url, $return = false, $disable_cd_check = false) // Attention: only able to redirect within the same domain if $disable_cd_check is false (yourdomain.com -> www.yourdomain.com will not work) if (!$disable_cd_check && $url_parts['host'] !== $user->host) { - $url = generate_board_url(); + trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR); } } else if ($url[0] == '/') @@ -2579,6 +2579,12 @@ function redirect($url, $return = false, $disable_cd_check = false) } } + // Make sure we don't redirect to external URLs + if (!$disable_cd_check && strpos($url, generate_board_url(true) . '/') !== 0) + { + trigger_error('Tried to redirect to potentially insecure url.', E_USER_ERROR); + } + // Make sure no linebreaks are there... to prevent http response splitting for PHP < 4.4.2 if (strpos(urldecode($url), "\n") !== false || strpos(urldecode($url), "\r") !== false || strpos($url, ';') !== false) {
tests/security/redirect_test.php+7 −2 modified@@ -18,12 +18,17 @@ static public function provider() { // array(Input -> redirect(), expected triggered error (else false), expected returned result url (else false)) return array( - array('data://x', false, 'http://localhost/phpBB'), + array('data://x', 'Tried to redirect to potentially insecure url.', false), array('bad://localhost/phpBB/index.php', 'Tried to redirect to potentially insecure url.', false), - array('http://www.otherdomain.com/somescript.php', false, 'http://localhost/phpBB'), + array('http://www.otherdomain.com/somescript.php', 'Tried to redirect to potentially insecure url.', false), array("http://localhost/phpBB/memberlist.php\n\rConnection: close", 'Tried to redirect to potentially insecure url.', false), array('javascript:test', false, 'http://localhost/phpBB/../javascript:test'), array('http://localhost/phpBB/index.php;url=', 'Tried to redirect to potentially insecure url.', false), + array('https://foobar.com\@http://localhost/phpBB', 'Tried to redirect to potentially insecure url.', false), + array('https://foobar.com\@localhost/troll/http://localhost/', 'Tried to redirect to potentially insecure url.', false), + array('http://localhost.foobar.com\@localhost/troll/http://localhost/', 'Tried to redirect to potentially insecure url.', false), + array('http://localhost/phpBB', false, 'http://localhost/phpBB'), + array('http://localhost/phpBB/', false, 'http://localhost/phpBB/'), ); }
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- www.openwall.com/lists/oss-security/2015/05/12/10nvdMailing ListPatchThird Party AdvisoryWEB
- github.com/phpbb/phpbb/commit/1a3350619f428d9d69d196c52128727e27ef2f04nvdPatchThird Party AdvisoryWEB
- www.securityfocus.com/bid/74592nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-hwq7-cvp8-6hm3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-3880ghsaADVISORY
- wiki.phpbb.com/Release_Highlights/3.0.14nvdThird Party AdvisoryWEB
- wiki.phpbb.com/Release_Highlights/3.1.4nvdThird Party AdvisoryWEB
- www.phpbb.com/community/viewtopic.phpnvdVendor AdvisoryWEB
- github.com/phpbb/phpbb/commit/c1702b8e19a69c98ef049abb4e14157e3e208ed4ghsaWEB
- web.archive.org/web/20170520103544/http://www.securityfocus.com/bid/74592ghsaWEB
News mentions
0No linked articles in our index yet.