Not a bug An issue has been discovered with the controller

Sado Yasashii · Wednesday at 3:07 PM

An error has been discovered where the controller::

in XF 2.2. * –XF\Admin\Controller\Login
in XF 2.3. * –XF\Admin\Controller\LoginController

does not work correctly if you enter a URL like https://site.com////admin.php in the browser. No matter how many slashes are added before admin.php, the page will still open, even if direct URL access is forcibly restricted.

The issue was discovered while addressing the problem of redirecting guests to the homepage when attempting to access the admin panel via https://site.com/admin.php. It has been confirmed that this bug is present in both XF 2.3 and XF 2.2.

To reproduce the error, you need to access the admin panel URL with multiple slashes as a guest.

This is a rather serious vulnerability.

Please investigate.

ENF · Wednesday at 3:23 PM

Sado Yasashii said:
does not work correctly if you enter a URL like https://site.com////admin.php in the browser. No matter how many slashes are added before admin.php, the page will still open, even if direct URL access is forcibly restricted.

How are you restricting access to admin.php? This method doesn't work on 2.3.6 with admin.php protected at the server level. (NGINX)
XF doesn't provide explicit protection against URL entry to the ACP login page... we usually setup an additional layer above that to prevent people from accessing the page.

Sado Yasashii · Wednesday at 3:30 PM

ENF said:
How are you restricting access to admin.php? This method doesn't work on 2.3.6 with admin.php protected at the server level. (NGINX)
XF doesn't provide explicit protection against URL entry to the ACP login page... we usually setup an additional layer above that to prevent people from accessing the page.

This plugin (XF2-ProtectACP) was originally used to handle guest redirection in XF 2.2., but it doesn’t work in XF 2.3. After examining the code to adapt it for 2.3, it turned out that due to the bug mentioned above, the plugin fails to function properly and still allows guests to access the admin panel. If not for this issue, the problem might have gone unnoticed.

Managed to fix the access issue by modifying the plugin’s code, but it would be ideal if the core XF version addressed the controller handling bug to ensure proper security.

Chris D · Wednesday at 3:40 PM

It’s really not a controller level / application level bug. This is just how most web servers handle URLs.

If the add-on has been updated to resolve this issue, that is likely the best course of action.

digitalpoint · Wednesday at 4:51 PM

I know it's been said already, but it's literally how web servers work... These 2 URLs are the same as far as the web server is concerned:

https://www.cnn.com/2025/07/16/entertainment/emma-watson-driving-ban-intl

https://www.cnn.com///////2025/07/16/entertainment/emma-watson-driving-ban-intl

Vollmond · 2025-07-17T08:23:22+0100

OK, follow the link //admin.php?options/groups/boardActive/ and make sure that there is no controller error. If you confirm that there is no error, then the problem can be considered non-existent.

Not a bug An issue has been discovered with the controller

Sado Yasashii

Active member

Attachments

ENF

Well-known member

Sado Yasashii

Active member

Chris D

XenForo developer

digitalpoint

Well-known member

Vollmond

Member

We value your privacy