Support Request Template
What version of phpBB are you using? phpBB 3.3.14
What is your board's URL? https://dev.scalefour.org
Who do you host your board with? Ionos
How did you install your board? I used the download package from phpBB.com
What is the most recent action performed on your board? Update from a previous version of phpBB3
Is registration required to reproduce this issue? Yes
Do you have any MODs installed? No
Do you have any extensions installed? No
What version of phpBB3 did you update from? phpBB 3.1.10
What styles do you currently have installed? One based on prosilver
What language(s) is your board currently using? English
Which database type/version are you using? MySQL 5
What is your level of experience? New to PHP and phpBB
What username can be used to view this issue? test2_user
What password can be used to view this issue? phpbb_user
What actions did you take (updating your board; installing a MOD, style or extension; etc.) prior to this problem becoming noticeable? I updated the board from 3.1.10 using the phpBB recommended steps.
Please describe your problem. The forum is additional to a main website (I'll refer to it as 'home') comprising html and php pages. We have a members-only section and use phpBB to authorise members. If a guest tries to access a members-only page we use a php script which re-directs to the ucp login. When the member authenticates we get "Tried to redirect to potentially insecure url".
I beleive SSL is set up correctly, the 'home' pages and forum are on the same domain.
If I comment out the following code in includes/functions.php the newly loggged in member sucessfully re-directs.
Generated by SRT Generator
We do go outside the forum directory because before the upgrade the forum installation was in a subdirectory of 'home'. It has been moved into a directory at the same level as home, so we have <document_root>/home, <document_root>/forum.
As a consequence of this move we re-write, in .htaccess, any url destined for 'home' to inject home into the path. The idea is to mask the fact that the page is in the /home directory and the url in the browser should never show home (it does sometimes, but the site is still in development).
The hidden redirect field in the ucp login form has a path ofIs there somewhere I could change the value of $disable_cd_check?
To reproduce the error
What version of phpBB are you using? phpBB 3.3.14
What is your board's URL? https://dev.scalefour.org
Who do you host your board with? Ionos
How did you install your board? I used the download package from phpBB.com
What is the most recent action performed on your board? Update from a previous version of phpBB3
Is registration required to reproduce this issue? Yes
Do you have any MODs installed? No
Do you have any extensions installed? No
What version of phpBB3 did you update from? phpBB 3.1.10
What styles do you currently have installed? One based on prosilver
What language(s) is your board currently using? English
Which database type/version are you using? MySQL 5
What is your level of experience? New to PHP and phpBB
What username can be used to view this issue? test2_user
What password can be used to view this issue? phpbb_user
What actions did you take (updating your board; installing a MOD, style or extension; etc.) prior to this problem becoming noticeable? I updated the board from 3.1.10 using the phpBB recommended steps.
Please describe your problem. The forum is additional to a main website (I'll refer to it as 'home') comprising html and php pages. We have a members-only section and use phpBB to authorise members. If a guest tries to access a members-only page we use a php script which re-directs to the ucp login. When the member authenticates we get "Tried to redirect to potentially insecure url".
I beleive SSL is set up correctly, the 'home' pages and forum are on the same domain.
If I comment out the following code in includes/functions.php the newly loggged in member sucessfully re-directs.
Generated by SRT Generator
Code:
// Clean URL and check if we go outside the forum directory$url = $phpbb_path_helper->clean_url($url);if (!$disable_cd_check && strpos($url, generate_board_url(true) . '/') !== 0){trigger_error('INSECURE_REDIRECT', E_USER_WARNING);}As a consequence of this move we re-write, in .htaccess, any url destined for 'home' to inject home into the path. The idea is to mask the fact that the page is in the /home directory and the url in the browser should never show home (it does sometimes, but the site is still in development).
The hidden redirect field in the ucp login form has a path of
Code:
value="./../../../../../home/members/stores/index.php/members/stores/?"To reproduce the error
- goto https://dev.scalefour.org
- Select 'Members Area' from the sidebar menu
- Select the link 'Continue to Members only Homepage'list]
Note: We use Cloudfare but the cache is disabled for this url because it is development.
Statistics: Posted by rjhodgson — Wed Mar 26, 2025 11:09 pm
