Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-48559

Web CRON should be disabled by default

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      1. Do a new install and make sure setting 'cronclionly' is checked by default and the default value of the field is shown as 'yes'
      2. Try running the web cron by going to admin/cron.php and make sure you get an error
      3. Go to Site administration / ►Reports / ►Security overview
      4. Make sure you see a warning when the 'cronclionly' setting is not checked and there is no password "cronremotepassword" provided, with a link to "site policies" on the details page
      5. Drop and reinit behat test (mdk behat --force)
      6. Run behat suite and make sure all tests pass as before and there are no failures related to cron.
      Show
      Do a new install and make sure setting 'cronclionly' is checked by default and the default value of the field is shown as 'yes' Try running the web cron by going to admin/cron.php and make sure you get an error Go to Site administration / ►Reports / ►Security overview Make sure you see a warning when the 'cronclionly' setting is not checked and there is no password "cronremotepassword" provided, with a link to "site policies" on the details page Drop and reinit behat test (mdk behat --force) Run behat suite and make sure all tests pass as before and there are no failures related to cron.
    • Difficulty:
      Easy
    • Affected Branches:
      MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE
    • Fixed Branches:
      MOODLE_29_STABLE
    • Pull Master Branch:
      MDL-48559-master
    • Sprint:
      Team B Sprint 1, Team Beards Sprint 2
    • Issue size:
      Small

      Description

      I realised that the default settings for cron over web is enabled, and without password. Googling a bit proved that many sites did not disable the web cron, probably because it is not common those days to have a web cron. I think that new installations should have that setting turned off, or at the very least have a random hash as password.

      The Web cron can be abused by attackers to:

      • Obtain information only available to logged in users, or in a context restricted to the attacker
      • Obtain information useful for attackers (IDs, file paths, etc...)
      • Potentially create overload on the server
      • ...

      You get the idea.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              ankit_frenz Ankit Agarwal
              Reporter:
              fred Frédéric Massart
              Peer reviewer:
              Dan Poltawski
              Integrator:
              David Monllaó
              Tester:
              John Okely
              Participants:
              Component watchers:
              Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Fix Release Date:
                11/May/15