MyBB Community Forums

Full Version: Strange login/redirect problem
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Hi all,

I decided to install MyBB yesterday and it was working fine (more or less), until it suddenly decided to break. After much reinstalling, it seems like it has calmed down, but causes a few problems one in a while.

Here it is.

I installed MyBB at www.thelibertyhq.org/forums/ with the default settings, and for some reason at times the links that are on the forum and the link to the admin CP includes an extra "thelibertyhq.org" in the URL. That is, it looks like

www.thelibertyhq.org/thelibertyhq.org/forums/

This is causing me some login problems with the admin page. When I log in to the forum, it gives me the link to the admin CP, but sometimes when I click on it it forces me to login again at the page www.thelibertyhq.org/forums/admin/

So good so far, but after I put in the correct data it redirects me to www.thelibertyhq.org/thelibertyhq.org/forums/admin/ and forces me to log in again. The problem is here - it simply doesn't let me log in. It doesn't say wrong password (I tried a wrong one on purpose one time and it had an error message), it doesn't do anything - it just sends the login data and gives me back the same page.

Sometimes I can fix the problem by forcing the url to remove the extra domain directory (that's what I'll call it) that it puts in, but sometimes that doesn't work.

Do you have any idea why this might be happening?

I have checked the cookie settings literally at least 15 times (I even used that tool that tells you what values to use). It has started behaving a little better of late (very few links now exhibit this redirecting behavior), but it still happens occasionally.

Thoughts?
What is your "Board URL" setting set to? Have you tried to change the admin url in the config file?
The board URL is just "http://www.thelibertyhq.org/forums"

I have not tried changing the admin URL. It's just "admin"
Can you check if its an XSS?
How would I do that?
Is there a way to reproduce it consistently? Like is there a link that always shows that extra directory that you can tell us where it is? I looked on your forum homepage, couldn't find any links that were malformed.

Does it only happen when you're logged into a certain account? or if you're using a certain theme?
Well, it has stopped doing it now. I'll come back if it stars messing up again. Thanks Smile

(And sorry that I can't reproduce it. Hey, at least the problem's solved!)
Alright, so I know that what I am doing with this thread borders on necromancy, but I wanted to post the solution in case any other poor soul had the same problem.

The reason why it was adding the domain in once again is because $_SERVER['PHP_SELF'] evaluated to that whole string. Why? Well, because my entire website is hosted on GoDaddy, and I share space with other websites, and so the path actually includes the directory which has my website, which is /thelibertyhq.org/, (that is the actual directory with my website in it, relative to the root).

The solution is to remove out that extra folder. You can do

$_SERVER['PHP_SELF'] = str_replace("/thelibertyhq.org", "", $_SERVER['PHP_SELF']);

right before all the places where $_SERVER['PHP_SELF'] is called.

Hope I helped someone!