Uploaded image for project: 'phpBB'
  1. phpBB
  2. PHPBB-10046

Getting rid of register_shutdown_function() in cron.php to prevent path disclosure (reported by lacton)

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Fixed
    • Icon: Blocker Blocker
    • 3.0.9-RC1
    • 3.0.8
    • None
    • None

      This issue was first reported by lacton via the security tracker.

      In certain conditions, phpBB is exposing the full path of cron.php. ie apache access log shows requests:
      "GET /var/www/jadephpbb/httpdocs/cron.php?cron_type=tidy_search HTTP/1.1" 404 304 "https://forums.jadeworld.com/viewtopic.php?f=9&t=1206&start=0"

      Support topic: http://www.phpbb.com/community/viewtopic.php?f=46&t=2121664

            bantu Andreas Fischer [X] (Inactive)
            Oleg Oleg [X] (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: