Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-10046

Getting rid of register_shutdown_function() in cron.php to prevent path disclosure (reported by lacton)

          Details

          • Type: Task
          • Status: Unverified Fix (View Workflow)
          • Priority: Blocker
          • Resolution: Fixed
          • Affects Version/s: 3.0.8
          • Fix Version/s: 3.0.9-RC1
          • Component/s: None
          • Labels:
            None

            Description

            This issue was first reported by lacton via the security tracker.

            In certain conditions, phpBB is exposing the full path of cron.php. ie apache access log shows requests:
            "GET /var/www/jadephpbb/httpdocs/cron.php?cron_type=tidy_search HTTP/1.1" 404 304 "https://forums.jadeworld.com/viewtopic.php?f=9&t=1206&start=0"

            Support topic: http://www.phpbb.com/community/viewtopic.php?f=46&t=2121664

              Attachments

                Issue Links

                is related to

                Bug - A problem which impairs or prevents the functions of the product. PHPBB3-8334 common.php code for IN_CRON

                • Closed

                  Activity

                    People

                    • Assignee:
                      bantu bantu
                      Reporter:
                      Oleg Oleg [X] (Inactive)
                    • Votes:
                      0 Vote for this issue
                      Watchers:
                      1 Start watching this issue

                      Dates

                      • Created:
                        Updated:
                        Resolved: