Details
-
Type:
Improvement
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 2.6.6, 2.7.3, 2.8.1
-
Fix Version/s: 2.9
-
Component/s: Administration
-
Labels:
-
Testing Instructions:
-
Difficulty:Easy
-
Affected Branches:MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE
-
Fixed Branches:MOODLE_29_STABLE
-
Pull from Repository:
-
Pull Master Branch:
MDL-48559-master -
Pull Master Diff URL:
-
Sprint:Team B Sprint 1, Team Beards Sprint 2
-
Issue size:Small
Description
I realised that the default settings for cron over web is enabled, and without password. Googling a bit proved that many sites did not disable the web cron, probably because it is not common those days to have a web cron. I think that new installations should have that setting turned off, or at the very least have a random hash as password.
The Web cron can be abused by attackers to:
- Obtain information only available to logged in users, or in a context restricted to the attacker
- Obtain information useful for attackers (IDs, file paths, etc...)
- Potentially create overload on the server
- ...
You get the idea.