Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-48559

Web CRON should be disabled by default

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      1. Do a new install and make sure setting 'cronclionly' is checked by default and the default value of the field is shown as 'yes'
      2. Try running the web cron by going to admin/cron.php and make sure you get an error
      3. Go to Site administration / ►Reports / ►Security overview
      4. Make sure you see a warning when the 'cronclionly' setting is not checked and there is no password "cronremotepassword" provided, with a link to "site policies" on the details page
      5. Drop and reinit behat test (mdk behat --force)
      6. Run behat suite and make sure all tests pass as before and there are no failures related to cron.
      Show
      Do a new install and make sure setting 'cronclionly' is checked by default and the default value of the field is shown as 'yes' Try running the web cron by going to admin/cron.php and make sure you get an error Go to Site administration / ►Reports / ►Security overview Make sure you see a warning when the 'cronclionly' setting is not checked and there is no password "cronremotepassword" provided, with a link to "site policies" on the details page Drop and reinit behat test (mdk behat --force) Run behat suite and make sure all tests pass as before and there are no failures related to cron.
    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE
    • Fixed Branches:
      MOODLE_29_STABLE
    • Pull Master Branch:
      MDL-48559-master
    • Sprint:
      Team B Sprint 1, Team Beards Sprint 2
    • Issue size:
      Small

      Description

      I realised that the default settings for cron over web is enabled, and without password. Googling a bit proved that many sites did not disable the web cron, probably because it is not common those days to have a web cron. I think that new installations should have that setting turned off, or at the very least have a random hash as password.

      The Web cron can be abused by attackers to:

      • Obtain information only available to logged in users, or in a context restricted to the attacker
      • Obtain information useful for attackers (IDs, file paths, etc...)
      • Potentially create overload on the server
      • ...

      You get the idea.

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                1 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  11/May/15