Bug 1024413

Summary: web-style cron should be restricted
Product: [Fedora] Fedora EPEL Reporter: albert <superber>
Component: moodleAssignee: Gwyn Ciesla <gwync>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: el6CC: gwync
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-29 17:16:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description albert 2013-10-29 15:40:53 UTC 
Description of problem:

moodle's cron can be executed in two ways:
-> standard crontab (if moodle service enabled with chkconfig)
-> web cron, sort of wget http://server/moodle/admin/cron.php

There should be an 'allow, deny...' block in apache so
the cron can't be run remotely via web by any unautenticated user.
Even worse, some valuable information is displayed in the
browser when cron is executed: new users, system paths...

I suggest to add the following code to restrict access to localhost:

<Location /moodle/admin/cron.php >
  <IfModule mod_authz_core.c>
    # Apache 2.4
    Require local
  </IfModule>
  <IfModule !mod_authz_core.c>
    # Apache 2.2
    Order Deny,Allow
    Deny from All
    Allow from 127.0.0.1
    Allow from ::1
 </IfModule>
</Location>

Version-Release number of selected component (if applicable):

moodle-2.4.6-1.el6.noarch

How reproducible:



Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 albert 2013-10-29 17:15:08 UTC 
I realize that there is a config setting to disable web cron, so closing this bug