[MDL-48559] Web CRON should be disabled by default - Moodle Tracker

XML

Word

Printable

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.6.6, 2.7.3, 2.8.1
Fix Version/s: 2.9
Component/s: Administration
Labels:
- ci
- release_notes
- triaged

Testing Instructions:
Hide

Do a new install and make sure setting 'cronclionly' is checked by default and the default value of the field is shown as 'yes'

Try running the web cron by going to admin/cron.php and make sure you get an error

Go to Site administration / ►Reports / ►Security overview

Make sure you see a warning when the 'cronclionly' setting is not checked and there is no password "cronremotepassword" provided, with a link to "site policies" on the details page

Drop and reinit behat test (mdk behat --force)

Run behat suite and make sure all tests pass as before and there are no failures related to cron.
Show
Do a new install and make sure setting 'cronclionly' is checked by default and the default value of the field is shown as 'yes' Try running the web cron by going to admin/cron.php and make sure you get an error Go to Site administration / ►Reports / ►Security overview Make sure you see a warning when the 'cronclionly' setting is not checked and there is no password "cronremotepassword" provided, with a link to "site policies" on the details page Drop and reinit behat test (mdk behat --force) Run behat suite and make sure all tests pass as before and there are no failures related to cron.
Difficulty:
Easy
Affected Branches:
MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE
Fixed Branches:
MOODLE_29_STABLE
Pull from Repository:
git://github.com/ankitagarwal/moodle.git
Pull Master Branch:
~~MDL-48559~~-master
Pull Master Diff URL:
https://github.com/ankitagarwal/moodle/compare/470e087...MDL-48559-master

Sprint:
Team B Sprint 1, Team Beards Sprint 2
Issue size:
Small

Description

I realised that the default settings for cron over web is enabled, and without password. Googling a bit proved that many sites did not disable the web cron, probably because it is not common those days to have a web cron. I think that new installations should have that setting turned off, or at the very least have a random hash as password.

The Web cron can be abused by attackers to:

Obtain information only available to logged in users, or in a context restricted to the attacker
Obtain information useful for attackers (IDs, file paths, etc...)
Potentially create overload on the server
...

You get the idea.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

MDL-48559-master.mdk.patch
6 kB
19/Dec/14 7:32 PM

Issue Links

has been marked as being related by

MDL-48496 Do not show detailed error messages in the response from curl requests in rss_client

Closed

is duplicated by

MDL-55334 Vulnerability: Denegation of Service

Closed

Activity

People

Assignee:

Ankit Agarwal

Reporter:

Frédéric Massart

Peer reviewer:

Dan Poltawski

Integrator:

David Monllaó

Tester:

John Okely

Participants:

Ankit Agarwal, CiBoT, Dan Poltawski, David Monllaó, Eloy Lafuente (stronk7), Frédéric Massart, Helen Foster, John Okely

Component watchers:

Andrew Nicols, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze

Votes:

1 Vote for this issue

Watchers:

6 Start watching this issue

Dates

Created:

11/Dec/14 1:53 AM

Updated:

12/Apr/19 1:01 PM

Resolved:

20/Feb/15 3:13 AM

Fix Release Date:

11/May/15