Hi i just want to know why the /admin/cron.php script is visible by default for everyone, even if the user is not logged in???
It's because this script needs to be called automatically every 15 minutes or so ... and since many people don't have command line access then calling the URL from outside Moodle is often the only way that people can do it (eg on a cpanel host, using wget).
For this reason it doesn't require authentication. It's not meant to be called manually by a logged-in user (though it doesn't hurt if you do). There are a bunch of security mechanisms in that script.
Still, I'd recommend you either turn on cronclionly (calling the script from the command line is more efficient and won't clog your web logs) or add a password with cronremotepassword. See "Site policies" in your admin settings.
For this reason it doesn't require authentication. It's not meant to be called manually by a logged-in user (though it doesn't hurt if you do). There are a bunch of security mechanisms in that script.
Still, I'd recommend you either turn on cronclionly (calling the script from the command line is more efficient and won't clog your web logs) or add a password with cronremotepassword. See "Site policies" in your admin settings.
Ok i undestand why it's needed to be acceced from the web, but i don't agree that BY DEFAULT it can be acceced from anyone without authentication or any other security method.
You can do a test. Go to Moodle registered sites, enter in some of them and try to excecute the /admin/cron.php script.
I did it in some sites and it hasn't any restriction.
Look this output in a random i choosed yesterday:
Starting activity modules
Processing module function assignment_cron ...done.
Processing module function chat_cron ...done.
Processing module function forum_cron ...Starting digest processing...
(Expected digest time today: 1235426400 admin user zone: Monday, 23 de February de 2009, 17:00 site zone: Monday, 23 de February de 2009, 17:00)
Cleaned old digest records
Removing old forum read tracking info...
done.
Processing module function scorm_cron ...Updating scorm packages which require daily update
done.
Processing module function wiki_cron ...done.
Finished activity modules
Starting blocks
Processing cron function for rss_client....
0 feeds refreshed (took 0.149372 seconds)
done.
Processing cron function for search....Global searching is not enabled. Nothing performed by search.
done.
Finished blocks
Starting admin reports
Finished admin reports
Updating languages cache
Removing expired enrolments ...none found
Starting main gradebook job ...
done.
Running clean-up tasks...
Deleted assignment for user 8 from course 8
Deleted assignment for user 2 from course 3
Deleted assignment for user 38 from course 8
Deleted assignment for user 2 from course 6
Deleted assignment for user 78 from course 8
Deleted assignment for user 8 from course 6
Deleted assignment for user 33 from course 6
Deleted assignment for user 5 from course 6
Deleted assignment for user 11 from course 6
Deleted assignment for user 40 from course 8
Deleted assignment for user 61 from course 8
Deleted orphan user_lastaccess for user 2 from course 3
Deleted orphan user_lastaccess for user 2 from course 6
Deleted unconfirmed user for Carla Curti (24)
Deleted unconfirmed user for juana morena (25)
Deleted unconfirmed user for Carlos Chanfles (30)
Deleted unconfirmed user for Jose Dubberly (34)
Deleted unconfirmed user for veronica andrea fabio (62)
Deleted unconfirmed user for María Elena Zehnder (68)
Deleted unconfirmed user for Mary Viteri (71)
Deleted unconfirmed user for Claudia Liliana Peralta (70)
Deleted unconfirmed user for Grace Rotella (73)
Deleted unconfirmed user for mirta baez (76)
Deleted unconfirmed user for Karen Mesta (87)
Deleted unconfirmed user for franco daniel bracamonte hurtado (85)
Deleted unconfirmed user for diego mario trinidad perez (88)
Deleted unconfirmed user for Ariel Candy (91)
Deleted unconfirmed user for Veronica Leon (98)
Deleted unconfirmed user for javier folmer (104)
Deleted unconfirmed user for carlos enrrique trespalacios alies (109)
Deleted unconfirmed user for gabrielasalome dasilva (113)
Deleted unconfirmed user for vanesa soledad gonzalez (116)
Deleted unconfirmed user for silvia negra (121)
Deleted unconfirmed user for isaac hernandez (135)
Deleted unconfirmed user for Mariela Minoura (138)
Deleted unconfirmed user for Yaneth pardo (141)
Deleted old log records
Deleted old cache_text records
Synchronised metacourses
checking for create_password
Executed tag cron
Cleaned up contexts
Cleaned cache flags
Built context paths
Finished clean-up tasks...
Running backups if required...
Checking backup status...INACTIVE
Backup tasks finished.
Running auth crons if required...
Cron script completed correctly
Execution took 33.792836 seconds
Do you think anyone need to be allowed By default to excecute this script in your site?????
You can do a test. Go to Moodle registered sites, enter in some of them and try to excecute the /admin/cron.php script.
I did it in some sites and it hasn't any restriction.
Look this output in a random i choosed yesterday:
Starting activity modules
Processing module function assignment_cron ...done.
Processing module function chat_cron ...done.
Processing module function forum_cron ...Starting digest processing...
(Expected digest time today: 1235426400 admin user zone: Monday, 23 de February de 2009, 17:00 site zone: Monday, 23 de February de 2009, 17:00)
Cleaned old digest records
Removing old forum read tracking info...
done.
Processing module function scorm_cron ...Updating scorm packages which require daily update
done.
Processing module function wiki_cron ...done.
Finished activity modules
Starting blocks
Processing cron function for rss_client....
0 feeds refreshed (took 0.149372 seconds)
done.
Processing cron function for search....Global searching is not enabled. Nothing performed by search.
done.
Finished blocks
Starting admin reports
Finished admin reports
Updating languages cache
Removing expired enrolments ...none found
Starting main gradebook job ...
done.
Running clean-up tasks...
Deleted assignment for user 8 from course 8
Deleted assignment for user 2 from course 3
Deleted assignment for user 38 from course 8
Deleted assignment for user 2 from course 6
Deleted assignment for user 78 from course 8
Deleted assignment for user 8 from course 6
Deleted assignment for user 33 from course 6
Deleted assignment for user 5 from course 6
Deleted assignment for user 11 from course 6
Deleted assignment for user 40 from course 8
Deleted assignment for user 61 from course 8
Deleted orphan user_lastaccess for user 2 from course 3
Deleted orphan user_lastaccess for user 2 from course 6
Deleted unconfirmed user for Carla Curti (24)
Deleted unconfirmed user for juana morena (25)
Deleted unconfirmed user for Carlos Chanfles (30)
Deleted unconfirmed user for Jose Dubberly (34)
Deleted unconfirmed user for veronica andrea fabio (62)
Deleted unconfirmed user for María Elena Zehnder (68)
Deleted unconfirmed user for Mary Viteri (71)
Deleted unconfirmed user for Claudia Liliana Peralta (70)
Deleted unconfirmed user for Grace Rotella (73)
Deleted unconfirmed user for mirta baez (76)
Deleted unconfirmed user for Karen Mesta (87)
Deleted unconfirmed user for franco daniel bracamonte hurtado (85)
Deleted unconfirmed user for diego mario trinidad perez (88)
Deleted unconfirmed user for Ariel Candy (91)
Deleted unconfirmed user for Veronica Leon (98)
Deleted unconfirmed user for javier folmer (104)
Deleted unconfirmed user for carlos enrrique trespalacios alies (109)
Deleted unconfirmed user for gabrielasalome dasilva (113)
Deleted unconfirmed user for vanesa soledad gonzalez (116)
Deleted unconfirmed user for silvia negra (121)
Deleted unconfirmed user for isaac hernandez (135)
Deleted unconfirmed user for Mariela Minoura (138)
Deleted unconfirmed user for Yaneth pardo (141)
Deleted old log records
Deleted old cache_text records
Synchronised metacourses
checking for create_password
Executed tag cron
Cleaned up contexts
Cleaned cache flags
Built context paths
Finished clean-up tasks...
Running backups if required...
Checking backup status...INACTIVE
Backup tasks finished.
Running auth crons if required...
Cron script completed correctly
Execution took 33.792836 seconds
Do you think anyone need to be allowed By default to excecute this script in your site?????
Seeing as it is supposed to run frequently it's not a problem if it does get run a few times too many; the only potential issue I can see is that people can see some data: they could see a partial list of what plugins you've got installed and a list of people that haven't confirmed accounts- hardly national secrets.
At most maybe default it to only output debugging/info when accessed by a logged in admin?
Mike
At most maybe default it to only output debugging/info when accessed by a logged in admin?
Mike
Maybe you have right but tell me sh, would you like that anyone can see something like this:
Keeping backup files in /home/martinez/public_html/cp/uploaddata/1/backupdata
found 3 backup files
keep limit (1) reached. Deleting old files
copia_de_seguridad-p_gina_principal-20080519-2221.zip deleted
copia_de_seguridad-p_gina_principal-20080519-2228.zip deleted
End backup OK
Next execution: domingo, 1 de marzo de 2009, 00:00
TIC / ICT - Prof. Brenda Hughes
Executing backup
Well i guess you don't mind if anyone knows the public_html root path of your site and besides delete some bakups files..........
Keeping backup files in /home/martinez/public_html/cp/uploaddata/1/backupdata
found 3 backup files
keep limit (1) reached. Deleting old files
copia_de_seguridad-p_gina_principal-20080519-2221.zip deleted
copia_de_seguridad-p_gina_principal-20080519-2228.zip deleted
End backup OK
Next execution: domingo, 1 de marzo de 2009, 00:00
TIC / ICT - Prof. Brenda Hughes
Executing backup
Well i guess you don't mind if anyone knows the public_html root path of your site and besides delete some bakups files..........
Yeah, I would regard the fact that site backups are showing path info like that as a bug that needs fixing, as well as the display of a user name. (The deletion of the backups is normal and would have happened on the next cron anyway.)
To avoid anything like that happening again, I think we should modify the function mtrace() to not output any information at all when the script is called from the web. I've filed a bug for it: MDL-18370
To avoid anything like that happening again, I think we should modify the function mtrace() to not output any information at all when the script is called from the web. I've filed a bug for it: MDL-18370
I agree with that , thanks Martin Dougiamas.
I've also had this question in my mind.
Is there also a possibility of creating attacks on a server because of this?
If someone set-up a script to continually run cron.php wouldn't it affect the overall performance of Moodle - effectively being some type of denial of service type attack?
Is there also a possibility of creating attacks on a server because of this?
If someone set-up a script to continually run cron.php wouldn't it affect the overall performance of Moodle - effectively being some type of denial of service type attack?
Have a look at http://moodle.org/mod/forum/discuss.php?d=105509#p465322 and below
Saludos. Iñaki.
Basically, you could do the same thing calling ANY page on ANY web site. ;)