Software Security/Group 9/PhpBB

Uit Werkplaats
< Software Security‎ | Group 9
Versie door Roberto Lie (overleg | bijdragen) op 24 jun 2011 om 16:13 (add include graph)
(wijz) ← Oudere versie | Huidige versie (wijz) | Nieuwere versie → (wijz)
Ga naar: navigatie, zoeken

Directory Structure

[phpBB2]

—ι common.php
—ι config.php
—ι extension.inc
—› faq.php
—› groupcp.php
—› index.php
—› install.phpinstallation page, out of our concern
—› login.php
—› memberlist.php
—› modcp.php
—› posting.php
—› privmsg.php
—› profile.php
—› search.php
—› update_to_FINAL.phpinstallation page, out of our concern
—› upgrade.phpinstallation page, out of our concern
—› viewforum.php
—› viewonline.php
—› viewtopic.php

[admin]
—› admin_board.php
—› admin_db_utilities.php
—› admin_disallow.php
—› admin_forumauth.php
—› admin_forums.php
—› admin_forum_prune.php
—› admin_groups.php
—› admin_mass_email.php
—› admin_ranks.php
—› admin_smilies.php
—› admin_styles.php
—› admin_ug_auth.php
—› admin_users.php
—› admin_user_ban.php
—› admin_words.php
—› index.php
—ι pagestart.php
—ι page_footer_admin.php
—ι page_header_admin.php

[contrib] — several contributed modules; not installed by default and not in our scope

[db] — sql layers providing abstractions to support different database backends, not of our particular interest
[schemas] — contains the phpBB's db schema, which we would not need to review

[docs] — several somewhat outdated documentations, not very useful
[images] — just a bunch of images

[includes]
—ι auth.php
—ι bbcode.php
—ι constants.php
—ι db.php
—ι emailer.php
—ι functions.php
—ι functions_admin.php
—ι functions_post.php
—ι functions_search.php
—ι functions_selects.php
—ι functions_validate.php
—› index.htmjust a blank page to prevent directory listing
—ι page_header.php
—ι page_tail.php
—ι prune.php
—ι sessions.php
—ι smtp.php
—ι sql_parse.php
—ι template.php
—ι topic_review.php
—ι usercp_activate.php
—ι usercp_avatar.php
—ι usercp_email.php
—ι usercp_register.php
—ι usercp_sendpasswd.php
—ι usercp_viewprofile.php

[language] — various internationalization resources, obviously has nothing to do with authentication
[templates] — templates for output, we shouldn't be interested in this

Notes

  • [xxx] means xxx is a directory
  • —› indicates entry points
  • —ι indicates pages that should not normally be directly accessed by the users


Page Links

Graph describing how non-administrative pages are linked in phpBB2. The red arrows indicate links that are only available when the user has administrator privilege.

Basically, there are two big group of pages in phpBB2: the (normal) forum pages and the administrative pages.

The ordinary forum pages are simply all the pages that are in the phpBB top directory. They are, on most cases, linked to each other (usually via navigation menu), save for a few such as posting.php and modcp.php that can only be accessed from several pages or when some conditions are met. There are also several minor inconsistencies in how the linking is done. (For instance, the link to viewforum.php is missing from groupcp.php when no group is defined, while this should logically have nothing to do with the availability of viewforum.php)

The situation is similar for the administrative pages. However, in this case, all administrative pages are linked to each other with no exception due to a static navigation menu which provides links to all the administrative pages. There are also link to the forum index in the menu, so the forum index is also accessible directly via link from any administrative page. In some pages, there are also links to several pages of the non-administrative section of phpBB. For example, the Forum Admin management page contains link to viewforum.php


Includes

Graph describing how php files are included from index.php
Graph describing how php files are included from login.php. See that this is essentially the same as one of index.php

Virtually every php pages in phpBB includes these following files:

  • extension.inc — define the extension of php files
  • common.php — the "library" of common functions, includes other php files in "include" directory
  • page_header.php and php_tail.php — page template