|
Iñaki Arenaza made changes - 20/Jul/08 04:58 AM
Here are the images of the screenshots.
Saludos. Iñaki.
Iñaki Arenaza made changes - 20/Jul/08 04:59 AM
Lower the security level, so anyone can have a look at the proposed patches. After all, this issue is already well known.
Saludos. Iñaki.
Iñaki Arenaza made changes - 12/Aug/08 05:49 PM
Excellent good idea... this is one of those things that seemed like such a fundamentally good idea that I always kind of assumed there was a reason why we didn't have this ages ago. Is there?
hmm, I do not think the code in is_dataroot_insecure() is 100% accurate for all setups, clicking on link may not always validate that moodledata is not accessible
I am not sure I like the option to remove the warning, many people either do not understand English enough (not all lang packs will have it translated) or click anything. If implemented it should be IMO user preference, not site setting. We have already discussed some ideas related to general notification framework, unfortunately there was not enough time to do that during 1.9dev last year I agree that this security warning should be more annoying and visible - different CSS (red color?), bigger font (bold?), different wording. assigning to Martin for final decision
Petr Skoda made changes - 13/Aug/08 12:35 AM
I know the code in is_data_root_insecure() is not 100% proof. There are lots of ways to configure your web server to deliver your content even if the tests in is_data_root_insecure() fail to noice it, with tricks like location aliasing, filesystem symlinking, url rewriting and so on.
But I posit that those savvy enough to do all those tricks don't need this check and the associated warnings. It's the non-technical people that use a shared hosting setup who need this. Specially if they use the-easy-to-setup but brain-damaged (wrt the final configuration) Fantastico installer. Whether you make the option to remove the warning a site setting or an (admin) user preference, I don't really mind. As to the lang packs not translating the text, it'll be no worse than the current situation, where a user can be vulnerable and still not know it. So this can only be an improvement Regarding the '_new', <u> tag and the improved wording, feel free to change it as much as you want. All I really want is the general functionality of the patch to be added to the core as fast as possible, so vulnerable people can get a warning of their current situation as soon as possible. Saludos. Iñaki. Maybe I am missing something here, let me sum up the dataroot problem:
1/ July 2006 - Steve Lord reported that misconfigured sites are vulnerable - Google search confirmed this is a real problem 2/ August 2006 - I have proposed code that changed default (often not safe) dataroot location in installer and also added warning on admin/index.php, please note the admin/index.php is displayed right after installation and after EACH upgrade; Several people including Iñaki, TIm, Howard really helped to improve my solution. 3/ I have also done some more Google research at that time - it was really scary 4/ September 2006 - Moodle 1.6.2 released - the first version with warning included; after this many ppl asked in Moodle.org forums "how do I fix that new warning on admin page?" I really like this patch, but:
Surely even if we stop new sites having their dataroots accessible (i.e. check in the install scripts) it would be a good start. At least it's putting a finger in the dam so to speak.
Petr Skoda made changes - 19/Aug/08 07:54 PM
Petr Skoda made changes - 19/Aug/08 08:40 PM
Petr Skoda made changes - 19/Aug/08 08:40 PM
Petr Skoda made changes - 20/Aug/08 04:14 AM
Petr Skoda made changes - 20/Aug/08 04:14 AM
Petr Skoda made changes - 20/Aug/08 04:14 AM
Petr,
I think you should remove the config.phpx file from the public_dataroot_19stable_6.patch file (and maybe change the passwords of the databases mentionned there). saludos. Iñaki. Raising security level of this till Petr gets this message
Dan Poltawski made changes - 20/Aug/08 06:26 PM
at least now you know what password to use if you hack my local wifi network :-D
Petr Skoda made changes - 21/Aug/08 01:33 AM
fixed patch uploaded, thanks!
Petr Skoda made changes - 21/Aug/08 01:34 AM
obligatory screenshot attached
Petr Skoda made changes - 21/Aug/08 04:09 PM
Looks OK to me as an improvement on the checking we were already doing.
I would just suggest change the wording slightly on the admin/index.php warning (http://tracker.moodle.org/secure/attachment/14918/warning.jpeg SECURITY WARNING! Your dataroot directory is in the wrong location and is exposed to the web. This means that all your private files are available to anyone in the world, and some of them could be used by a cracker to obtain unauthorised administrative access to your site! You must move your dataroot directory (/home/something/www/dataroot) to a new location that is not within your public web directory, and update the $CFG->dataroot setting in your config.php accordingly. Lowering the security level now that Petr has removed the problematic section from the patch
Saludos. Iñaki.
Iñaki Arenaza made changes - 21/Aug/08 06:37 PM
Petr Skoda made changes - 21/Aug/08 06:43 PM
Petr Skoda made changes - 21/Aug/08 06:43 PM
removing my outdated screenshot, finishing patch for cvs commit
Petr Skoda committed 9 files to 'Moodle CVS' - 21/Aug/08 11:29 PM
Petr Skoda committed 9 files to 'Moodle CVS' on branch 'MOODLE_19_STABLE' - 21/Aug/08 11:31 PM
Petr Skoda made changes - 21/Aug/08 11:31 PM
Petr Skoda made changes - 21/Aug/08 11:31 PM
patch committed into cvs HEAD nad 19stable,
sending latest patch in case somebody volunteers to backport it and test in older branches
Petr Skoda made changes - 21/Aug/08 11:34 PM
Please test and reopen if any problems found,
please file a new issue if you volunteer to backport this improvement into older branches
Petr
Petr Skoda made changes - 21/Aug/08 11:40 PM
Petr Skoda made changes - 21/Aug/08 11:41 PM
Mitsuhiro Yoshida committed 4 files to 'Lang CVS' - 22/Aug/08 08:26 AM
martignoni committed 2 files to 'Lang CVS' - 23/Aug/08 12:26 AM
I think that my development environment confuses the new code.
In /var/www I have a moodledata folder writable by the web server, and a symbolic link from moodle -> /home/tim/Workspace/moodle_head/. So in config.php I have $CFG->wwwroot = 'http://tim.moodle.com/moodle'; I believe this is insecure, but I don't see the admin warning. (If I try changing $CFG->dirroot to "/var/www/1.9"; then I get told to change it back, which I think is good.) Looking at the code in is_dataroot_insecure it is hard to see how to generalise it to cover cases like this (I know, why don't we try to find and parse the Apache config file Tim,
as I said before, there are dozens of cases that can't be caught be this kind of checks. Using symbolic links like you do is one. Using 'virtual directories' (in IIS parlance, Aliases under Apache) or rewriting urls (with mod_rewrite under Apache or equivalent tools under IIS) are others. You particular configuration could be detected by using the $_SERVER['DOCUMENT_ROOT'] value, and checking that $CFG->dataroot is not inside it. Of course this doesn't detect all the vulnerable configurations (aliases, url rewriting, etc.) but it puts 'another finger in the dam'. Saludos. Iñaki.
Nicolas Connault made changes - 21/Oct/08 09:01 PM
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Improvement
Closed
Major
Tighten dataroot security checks and warn the administrator 'loudly'
 |
|
Saludos. Iñaki.