phpBB3

Getting rid of register_shutdown_function() in cron.php to prevent path disclosure (reported by lacton)

Details

  • Type: Task Task
  • Status: Unverified Fix Unverified Fix
  • Priority: Blocker Blocker
  • Resolution: Fixed
  • Affects Version/s: 3.0.8
  • Fix Version/s: 3.0.9-RC1
  • Component/s: None
  • Labels:
    None

Description

This issue was first reported by lacton via the security tracker.

In certain conditions, phpBB is exposing the full path of cron.php. ie apache access log shows requests:
"GET /var/www/jadephpbb/httpdocs/cron.php?cron_type=tidy_search HTTP/1.1" 404 304 "https://forums.jadeworld.com/viewtopic.php?f=9&t=1206&start=0"

Support topic: http://www.phpbb.com/community/viewtopic.php?f=46&t=2121664

Issue Links

is related to

Bug - A problem which impairs or prevents the functions of the product. PHPBB3-8334 common.php code for IN_CRON

  • Closed - The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Oleg added a comment - - edited

The current fix options are as follows.

For 3.0, we have a minimal fix here:

https://github.com/p/phpbb3/compare/develop-olympus...ticket%2F10046-v2

The actual fix is in the first commit, the second commit is a relevant change but not technically part of the fix.

Note that due to http://tracker.phpbb.com/browse/PHPBB3-9912 the first commit will not apply cleanly to 3.0.8 (but the logic does transfer over).

For 3.1, the "proper" proposed fix is here:

https://github.com/p/phpbb3/compare/develop...ticket%2F10046

Note that the two 3.0 commits need to be merged into develop, then the first commit reverted and conflicts between the second commit and unrelated changes in develop resolved, then the 3.1 fix applied on top.

Show
Oleg added a comment - - edited The current fix options are as follows. For 3.0, we have a minimal fix here: https://github.com/p/phpbb3/compare/develop-olympus...ticket%2F10046-v2 The actual fix is in the first commit, the second commit is a relevant change but not technically part of the fix. Note that due to http://tracker.phpbb.com/browse/PHPBB3-9912 the first commit will not apply cleanly to 3.0.8 (but the logic does transfer over). For 3.1, the "proper" proposed fix is here: https://github.com/p/phpbb3/compare/develop...ticket%2F10046 Note that the two 3.0 commits need to be merged into develop, then the first commit reverted and conflicts between the second commit and unrelated changes in develop resolved, then the 3.1 fix applied on top.
Hide
Permalink
Joas Schilling added a comment -

Your 3.1 code still breaks all MODs files...

Show
Joas Schilling added a comment - Your 3.1 code still breaks all MODs files...
Hide
Permalink
Oleg added a comment -

I think that is acceptable. Do you have an alternate proposal?

Show
Oleg added a comment - I think that is acceptable. Do you have an alternate proposal?

People

  • Assignee:
    Andreas Fischer
    Reporter:
    Oleg
Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: