Moodle

Tighten dataroot security checks and warn the administrator 'loudly'

Details

  • Affected Branches:
    MOODLE_16_STABLE, MOODLE_17_STABLE, MOODLE_18_STABLE, MOODLE_19_STABLE
  • Fixed Branches:
    MOODLE_19_STABLE

Description

The attached patch adds additional checks for the moodledata directory during early installation phases (much earlier than the current check inside admin/index.php), uses stronger warning messages, lets the user click on a link to actually check whether the moodle data directory is accessible from the web or not (which is far easier than trying to check it from the server itself, as it is quite complicated and depend on a lot of configuration factors) and refuses to continue the installation if the moodledata directory appears to be accesible, unless the user explicitly confirms that s/he has verified the directory is not accesible. See the attached image (called install.png) to view all the details mentionned above.

In addition to it, the current check inside admin/index.php is extended to visually notify the admin about the potential problem with moodledata, as it may happen that moodle has been installed with some automated installer that completely hides the installation process, including the warnings and the confirmation checkbox (fantastico is an example of this). So the patchs adds a visual notification about the potential problem to the administration block notifications area (see attached image called admin_block.png). When you click on it, it displays a stronger warning than the current one, lets the administration click on a link to check the moodledata directory accessibility from the web and offers a button to remove the warning (both from the administration block, and the admin notifications page).

Given that there are thousands of Moodle install all over the world with their moodledata directory open to anyone, and that having access to moodledata basically means you can do whatever you want with that moodle install (you can steal the admin user session, for example), I think it's really important to add this check & visual notification to help those people configure their sites correctly.

I'm attaching patches for 1.5, 1.6, 1.7. 1.8, 1.9 and HEAD current as of today.

Saludos. Iñaki.

Attachments

  1. Text File
    public_dataroot_stable19_8.patch
    21/Aug/08 11:34 PM
    15 kB
    Petr Škoda (skodak)
  2. Text File
    tighten-dataroot-security-checks-16-v3.diff
    20/Jul/08 4:58 AM
    10 kB
    Iñaki Arenaza
  3. Text File
    tighten-dataroot-security-checks-17-v3.diff
    20/Jul/08 4:58 AM
    10 kB
    Iñaki Arenaza
  4. Text File
    tighten-dataroot-security-checks-18-v3.diff
    20/Jul/08 4:57 AM
    10 kB
    Iñaki Arenaza
  5. Text File
    tighten-dataroot-security-checks-19-v3.diff
    20/Jul/08 4:57 AM
    10 kB
    Iñaki Arenaza
  6. Text File
    tighten-dataroot-security-checks-head-v3.diff
    20/Jul/08 4:57 AM
    10 kB
    Iñaki Arenaza
  1. admin_block.png
    19 kB
    20/Jul/08 4:59 AM
  2. admin_index.png
    64 kB
    20/Jul/08 4:59 AM
  3. install.png
    24 kB
    20/Jul/08 4:59 AM

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Iñaki Arenaza added a comment -

I said I was attaching patches for 1.5 too, but I was wrong. 1.6 is the oldest version I have patches for. Sorry for the confusion.

Saludos. Iñaki.

Show
Iñaki Arenaza added a comment - I said I was attaching patches for 1.5 too, but I was wrong. 1.6 is the oldest version I have patches for. Sorry for the confusion. Saludos. Iñaki.
Hide
Permalink
Iñaki Arenaza added a comment -

Here are the images of the screenshots.

Saludos. Iñaki.

Show
Iñaki Arenaza added a comment - Here are the images of the screenshots. Saludos. Iñaki.
Hide
Permalink
Iñaki Arenaza added a comment -

Lower the security level, so anyone can have a look at the proposed patches. After all, this issue is already well known.

Saludos. Iñaki.

Show
Iñaki Arenaza added a comment - Lower the security level, so anyone can have a look at the proposed patches. After all, this issue is already well known. Saludos. Iñaki.
Hide
Permalink
Howard Miller added a comment -

Excellent good idea... this is one of those things that seemed like such a fundamentally good idea that I always kind of assumed there was a reason why we didn't have this ages ago. Is there?

Show
Howard Miller added a comment - Excellent good idea... this is one of those things that seemed like such a fundamentally good idea that I always kind of assumed there was a reason why we didn't have this ages ago. Is there?
Hide
Permalink
Petr Škoda (skodak) added a comment -

hmm, I do not think the code in is_dataroot_insecure() is 100% accurate for all setups, clicking on link may not always validate that moodledata is not accessible

I am not sure I like the option to remove the warning, many people either do not understand English enough (not all lang packs will have it translated) or click anything. If implemented it should be IMO user preference, not site setting. We have already discussed some ideas related to general notification framework, unfortunately there was not enough time to do that during 1.9dev last year

I agree that this security warning should be more annoying and visible - different CSS (red color?), bigger font (bold?), different wording.
The changes in installer is a good idea. The target="_new" is not strict and the <u> tag is not nice. Maybe the wording could be improved a bit.

assigning to Martin for final decision

Show
Petr Škoda (skodak) added a comment - hmm, I do not think the code in is_dataroot_insecure() is 100% accurate for all setups, clicking on link may not always validate that moodledata is not accessible I am not sure I like the option to remove the warning, many people either do not understand English enough (not all lang packs will have it translated) or click anything. If implemented it should be IMO user preference, not site setting. We have already discussed some ideas related to general notification framework, unfortunately there was not enough time to do that during 1.9dev last year I agree that this security warning should be more annoying and visible - different CSS (red color?), bigger font (bold?), different wording. The changes in installer is a good idea. The target="_new" is not strict and the <u> tag is not nice. Maybe the wording could be improved a bit. assigning to Martin for final decision
Hide
Permalink
Iñaki Arenaza added a comment -

I know the code in is_data_root_insecure() is not 100% proof. There are lots of ways to configure your web server to deliver your content even if the tests in is_data_root_insecure() fail to noice it, with tricks like location aliasing, filesystem symlinking, url rewriting and so on.

But I posit that those savvy enough to do all those tricks don't need this check and the associated warnings. It's the non-technical people that use a shared hosting setup who need this. Specially if they use the-easy-to-setup but brain-damaged (wrt the final configuration) Fantastico installer.

Whether you make the option to remove the warning a site setting or an (admin) user preference, I don't really mind. As to the lang packs not translating the text, it'll be no worse than the current situation, where a user can be vulnerable and still not know it. So this can only be an improvement

Regarding the '_new', <u> tag and the improved wording, feel free to change it as much as you want. All I really want is the general functionality of the patch to be added to the core as fast as possible, so vulnerable people can get a warning of their current situation as soon as possible.

Saludos. Iñaki.

Show
Iñaki Arenaza added a comment - I know the code in is_data_root_insecure() is not 100% proof. There are lots of ways to configure your web server to deliver your content even if the tests in is_data_root_insecure() fail to noice it, with tricks like location aliasing, filesystem symlinking, url rewriting and so on. But I posit that those savvy enough to do all those tricks don't need this check and the associated warnings. It's the non-technical people that use a shared hosting setup who need this. Specially if they use the-easy-to-setup but brain-damaged (wrt the final configuration) Fantastico installer. Whether you make the option to remove the warning a site setting or an (admin) user preference, I don't really mind. As to the lang packs not translating the text, it'll be no worse than the current situation, where a user can be vulnerable and still not know it. So this can only be an improvement Regarding the '_new', <u> tag and the improved wording, feel free to change it as much as you want. All I really want is the general functionality of the patch to be added to the core as fast as possible, so vulnerable people can get a warning of their current situation as soon as possible. Saludos. Iñaki.
Hide
Permalink
Petr Škoda (skodak) added a comment -

Maybe I am missing something here, let me sum up the dataroot problem:

1/ July 2006 - Steve Lord reported that misconfigured sites are vulnerable - Google search confirmed this is a real problem

2/ August 2006 - I have proposed code that changed default (often not safe) dataroot location in installer and also added warning on admin/index.php, please note the admin/index.php is displayed right after installation and after EACH upgrade; Several people including Iñaki, TIm, Howard really helped to improve my solution.

3/ I have also done some more Google research at that time - it was really scary We have notified several large sites before the release.

4/ September 2006 - Moodle 1.6.2 released - the first version with warning included; after this many ppl asked in Moodle.org forums "how do I fix that new warning on admin page?"

I really like this patch, but:

  • it helps only for sites that do upgrades - if I search for allinurl:moodledata/sessions I get around 1k of results and many of them are repeated hits, many of them show dates from 2006 - conclusion: warnings did not help to fix abandoned or not maintained sites
  • not many people are upgrading to latest cvs nightlies or weeklies - conclusion: we do not need to rush the commits here, it should be enough to do it before next releases
  • we must finalise the language strings before commit and coordinate this with translators - conclusion: we have to wait for ppl to get from vacations
Show
Petr Škoda (skodak) added a comment - Maybe I am missing something here, let me sum up the dataroot problem: 1/ July 2006 - Steve Lord reported that misconfigured sites are vulnerable - Google search confirmed this is a real problem 2/ August 2006 - I have proposed code that changed default (often not safe) dataroot location in installer and also added warning on admin/index.php, please note the admin/index.php is displayed right after installation and after EACH upgrade; Several people including Iñaki, TIm, Howard really helped to improve my solution. 3/ I have also done some more Google research at that time - it was really scary We have notified several large sites before the release. 4/ September 2006 - Moodle 1.6.2 released - the first version with warning included; after this many ppl asked in Moodle.org forums "how do I fix that new warning on admin page?" I really like this patch, but:
  • it helps only for sites that do upgrades - if I search for allinurl:moodledata/sessions I get around 1k of results and many of them are repeated hits, many of them show dates from 2006 - conclusion: warnings did not help to fix abandoned or not maintained sites
  • not many people are upgrading to latest cvs nightlies or weeklies - conclusion: we do not need to rush the commits here, it should be enough to do it before next releases
  • we must finalise the language strings before commit and coordinate this with translators - conclusion: we have to wait for ppl to get from vacations
Hide
Permalink
Howard Miller added a comment -

Surely even if we stop new sites having their dataroots accessible (i.e. check in the install scripts) it would be a good start. At least it's putting a finger in the dam so to speak.

Show
Howard Miller added a comment - Surely even if we stop new sites having their dataroots accessible (i.e. check in the install scripts) it would be a good start. At least it's putting a finger in the dam so to speak.
Hide
Permalink
Iñaki Arenaza added a comment -

Petr,

I think you should remove the config.phpx file from the public_dataroot_19stable_6.patch file (and maybe change the passwords of the databases mentionned there).

saludos. Iñaki.

Show
Iñaki Arenaza added a comment - Petr, I think you should remove the config.phpx file from the public_dataroot_19stable_6.patch file (and maybe change the passwords of the databases mentionned there). saludos. Iñaki.
Hide
Permalink
Dan Poltawski added a comment -

Raising security level of this till Petr gets this message

Show
Dan Poltawski added a comment - Raising security level of this till Petr gets this message
Hide
Permalink
Petr Škoda (skodak) added a comment -

at least now you know what password to use if you hack my local wifi network :-D

Show
Petr Škoda (skodak) added a comment - at least now you know what password to use if you hack my local wifi network :-D
Hide
Permalink
Petr Škoda (skodak) added a comment -

fixed patch uploaded, thanks!

Show
Petr Škoda (skodak) added a comment - fixed patch uploaded, thanks!
Hide
Permalink
Petr Škoda (skodak) added a comment -

obligatory screenshot attached

Show
Petr Škoda (skodak) added a comment - obligatory screenshot attached
Hide
Permalink
Martin Dougiamas added a comment -

Looks OK to me as an improvement on the checking we were already doing.

I would just suggest change the wording slightly on the admin/index.php warning (http://tracker.moodle.org/secure/attachment/14918/warning.jpeg) to:

SECURITY WARNING! Your dataroot directory is in the wrong location and is exposed to the web. This means that all your private files are available to anyone in the world, and some of them could be used by a cracker to obtain unauthorised administrative access to your site!

You must move your dataroot directory (/home/something/www/dataroot) to a new location that is not within your public web directory, and update the $CFG->dataroot setting in your config.php accordingly.

Show
Martin Dougiamas added a comment - Looks OK to me as an improvement on the checking we were already doing. I would just suggest change the wording slightly on the admin/index.php warning (http://tracker.moodle.org/secure/attachment/14918/warning.jpeg) to: SECURITY WARNING! Your dataroot directory is in the wrong location and is exposed to the web. This means that all your private files are available to anyone in the world, and some of them could be used by a cracker to obtain unauthorised administrative access to your site! You must move your dataroot directory (/home/something/www/dataroot) to a new location that is not within your public web directory, and update the $CFG->dataroot setting in your config.php accordingly.
Hide
Permalink
Iñaki Arenaza added a comment -

Lowering the security level now that Petr has removed the problematic section from the patch

Saludos. Iñaki.

Show
Iñaki Arenaza added a comment - Lowering the security level now that Petr has removed the problematic section from the patch Saludos. Iñaki.
Hide
Permalink
Petr Škoda (skodak) added a comment -

removing my outdated screenshot, finishing patch for cvs commit

Show
Petr Škoda (skodak) added a comment - removing my outdated screenshot, finishing patch for cvs commit
Hide
Permalink
Petr Škoda (skodak) added a comment -

patch committed into cvs HEAD nad 19stable,
sending latest patch in case somebody volunteers to backport it and test in older branches

Show
Petr Škoda (skodak) added a comment - patch committed into cvs HEAD nad 19stable, sending latest patch in case somebody volunteers to backport it and test in older branches
Hide
Permalink
Petr Škoda (skodak) added a comment - - edited

Please test and reopen if any problems found,
please file a new issue if you volunteer to backport this improvement into older branches

Petr

Show
Petr Škoda (skodak) added a comment - - edited Please test and reopen if any problems found, please file a new issue if you volunteer to backport this improvement into older branches Petr
Hide
Permalink
Tim Hunt added a comment -

I think that my development environment confuses the new code.

In /var/www I have a moodledata folder writable by the web server, and a symbolic link from moodle -> /home/tim/Workspace/moodle_head/. So in config.php I have

$CFG->wwwroot = 'http://tim.moodle.com/moodle';
$CFG->dirroot = '/home/tim/Workspace/moodle_head';
$CFG->dataroot = '/var/www/moodledata';

I believe this is insecure, but I don't see the admin warning.

(If I try changing $CFG->dirroot to "/var/www/1.9"; then I get told to change it back, which I think is good.)

Looking at the code in is_dataroot_insecure it is hard to see how to generalise it to cover cases like this (I know, why don't we try to find and parse the Apache config file ). Anyway, I just thought I should report what I am seeing.

Show
Tim Hunt added a comment - I think that my development environment confuses the new code. In /var/www I have a moodledata folder writable by the web server, and a symbolic link from moodle -> /home/tim/Workspace/moodle_head/. So in config.php I have $CFG->wwwroot = 'http://tim.moodle.com/moodle'; $CFG->dirroot = '/home/tim/Workspace/moodle_head'; $CFG->dataroot = '/var/www/moodledata'; I believe this is insecure, but I don't see the admin warning. (If I try changing $CFG->dirroot to "/var/www/1.9"; then I get told to change it back, which I think is good.) Looking at the code in is_dataroot_insecure it is hard to see how to generalise it to cover cases like this (I know, why don't we try to find and parse the Apache config file ). Anyway, I just thought I should report what I am seeing.
Hide
Permalink
Iñaki Arenaza added a comment -

Tim,

as I said before, there are dozens of cases that can't be caught be this kind of checks. Using symbolic links like you do is one. Using 'virtual directories' (in IIS parlance, Aliases under Apache) or rewriting urls (with mod_rewrite under Apache or equivalent tools under IIS) are others.

You particular configuration could be detected by using the $_SERVER['DOCUMENT_ROOT'] value, and checking that $CFG->dataroot is not inside it. Of course this doesn't detect all the vulnerable configurations (aliases, url rewriting, etc.) but it puts 'another finger in the dam'.

Saludos. Iñaki.

Show
Iñaki Arenaza added a comment - Tim, as I said before, there are dozens of cases that can't be caught be this kind of checks. Using symbolic links like you do is one. Using 'virtual directories' (in IIS parlance, Aliases under Apache) or rewriting urls (with mod_rewrite under Apache or equivalent tools under IIS) are others. You particular configuration could be detected by using the $_SERVER['DOCUMENT_ROOT'] value, and checking that $CFG->dataroot is not inside it. Of course this doesn't detect all the vulnerable configurations (aliases, url rewriting, etc.) but it puts 'another finger in the dam'. Saludos. Iñaki.

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Moodle. Try JIRA - bug tracking software for your team.