[PHPBB3-10046] Getting rid of register_shutdown_function() in cron.php to prevent path disclosure (reported by lacton)

XML

Word

Printable

Details

Type: Task
Status: Unverified Fix (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 3.0.8
Fix Version/s: 3.0.9-RC1
Component/s: None
Labels:
None

Fix URL:
https://github.com/phpbb/phpbb3/pull/126

Description

This issue was first reported by lacton via the security tracker.

In certain conditions, phpBB is exposing the full path of cron.php. ie apache access log shows requests:
"GET /var/www/jadephpbb/httpdocs/cron.php?cron_type=tidy_search HTTP/1.1" 404 304 "https://forums.jadeworld.com/viewtopic.php?f=9&t=1206&start=0"

Support topic: http://www.phpbb.com/community/viewtopic.php?f=46&t=2121664

Attachments

Issue Links

is related to

PHPBB3-8334 common.php code for IN_CRON

Closed

Activity

People

Assignee:: Andreas Fischer [X] (Inactive)

Reporter:: Oleg [X] (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 18/Feb/11 1:57 AM

Updated:: 12/Mar/11 6:43 PM

Resolved:: 12/Mar/11 2:12 PM