Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-48559

Web CRON should be disabled by default

    XMLWordPrintable

Details

    • MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE
    • MOODLE_29_STABLE
    • MDL-48559-master
    • Easy
    • Hide
      1. Do a new install and make sure setting 'cronclionly' is checked by default and the default value of the field is shown as 'yes'
      2. Try running the web cron by going to admin/cron.php and make sure you get an error
      3. Go to Site administration / ►Reports / ►Security overview
      4. Make sure you see a warning when the 'cronclionly' setting is not checked and there is no password "cronremotepassword" provided, with a link to "site policies" on the details page
      5. Drop and reinit behat test (mdk behat --force)
      6. Run behat suite and make sure all tests pass as before and there are no failures related to cron.
      Show
      Do a new install and make sure setting 'cronclionly' is checked by default and the default value of the field is shown as 'yes' Try running the web cron by going to admin/cron.php and make sure you get an error Go to Site administration / ►Reports / ►Security overview Make sure you see a warning when the 'cronclionly' setting is not checked and there is no password "cronremotepassword" provided, with a link to "site policies" on the details page Drop and reinit behat test (mdk behat --force) Run behat suite and make sure all tests pass as before and there are no failures related to cron.
    • Team B Sprint 1, Team Beards Sprint 2
    • Small

    Description

      I realised that the default settings for cron over web is enabled, and without password. Googling a bit proved that many sites did not disable the web cron, probably because it is not common those days to have a web cron. I think that new installations should have that setting turned off, or at the very least have a random hash as password.

      The Web cron can be abused by attackers to:

      • Obtain information only available to logged in users, or in a context restricted to the attacker
      • Obtain information useful for attackers (IDs, file paths, etc...)
      • Potentially create overload on the server
      • ...

      You get the idea.

      Attachments

        Issue Links

          Activity

            People

              ankit_frenz Ankit Agarwal
              fred Frédéric Massart
              Dan Poltawski Dan Poltawski
              David Monllaó David Monllaó
              John Okely John Okely
              Andrew Lyons, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze, Stevani Andolo
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:
                11/May/15