By arhak on

Can anybody request the cron.php page withing any interval?
Isn't this a possible attack target on Drupal sites?

Categories: Drupal 6.x

Comments

mantyla’s picture

mantyla commented

http://drupal.org/cron.php

It says forbidden, just like it should. If you're worried, you can configure the cron.php page to be only accessible from a certain IP, even only at a specific time.

Valid point though. I'll have to secure my own cron pages first thing tomorrow at work.

2die4’s picture

2die4 commented

You can find another discussion here about cron and securing it.

http://www.drupal.org/node/41049

More on securing files:
http://www.drupal.org/node/277116

arhak’s picture

arhak commented

Thanks to both of you. But you can see the case of mantyla will be common.
I think THIS IS a Security Issue!!!
Default configuration of Drupal shouldn't allow this behavior (not by default)
Many newbies will learn the lesson after the attack occurs!

morrillo’s picture

morrillo commented

It would be nice if the information on how to secure cron.php can be found on the installation guide
Cheers,

Gustavo