Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-10046

Getting rid of register_shutdown_function() in cron.php to prevent path disclosure (reported by lacton)

    XMLWordPrintable

    Details

    • Type: Task
    • Status: Unverified Fix (View Workflow)
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 3.0.8
    • Fix Version/s: 3.0.9-RC1
    • Component/s: None
    • Labels:
      None

      Description

      This issue was first reported by lacton via the security tracker.

      In certain conditions, phpBB is exposing the full path of cron.php. ie apache access log shows requests:
      "GET /var/www/jadephpbb/httpdocs/cron.php?cron_type=tidy_search HTTP/1.1" 404 304 "https://forums.jadeworld.com/viewtopic.php?f=9&t=1206&start=0"

      Support topic: http://www.phpbb.com/community/viewtopic.php?f=46&t=2121664

        Attachments

          Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. PHPBB3-8334 common.php code for IN_CRON

          • Closed

            Activity

              People

              Assignee:
              bantu Andreas Fischer
              Reporter:
              Oleg Oleg [X] (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: