Bug 1024413 - web-style cron should be restricted
Summary: web-style cron should be restricted
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: moodle
Version: el6
Hardware: All
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Gwyn Ciesla
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-29 15:40 UTC by albert
Modified: 2013-10-29 17:16 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-10-29 17:16:14 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description albert 2013-10-29 15:40:53 UTC 
Description of problem:

moodle's cron can be executed in two ways:
-> standard crontab (if moodle service enabled with chkconfig)
-> web cron, sort of wget http://server/moodle/admin/cron.php

There should be an 'allow, deny...' block in apache so
the cron can't be run remotely via web by any unautenticated user.
Even worse, some valuable information is displayed in the
browser when cron is executed: new users, system paths...

I suggest to add the following code to restrict access to localhost:

<Location /moodle/admin/cron.php >
  <IfModule mod_authz_core.c>
    # Apache 2.4
    Require local
  </IfModule>
  <IfModule !mod_authz_core.c>
    # Apache 2.2
    Order Deny,Allow
    Deny from All
    Allow from 127.0.0.1
    Allow from ::1
 </IfModule>
</Location>

Version-Release number of selected component (if applicable):

moodle-2.4.6-1.el6.noarch

How reproducible:



Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 albert 2013-10-29 17:15:08 UTC 
I realize that there is a config setting to disable web cron, so closing this bug
Note You need to log in before you can comment on or make changes to this bug.