Secure cron.php
el777 - December 13, 2005 - 19:09
Hi!
How can I secure cron.php from remote invocation by malicious users?
If cron.php is publicly available, anobody can run it. Is it secure?
Thanks!
Hi!
How can I secure cron.php from remote invocation by malicious users?
If cron.php is publicly available, anobody can run it. Is it secure?
Thanks!
It is probably secure, however...
I did the following:
<Files "cron.php">Order deny,allow
Deny from all
</Files>
cd /path-to-my-drupal-directory; /path-to-php/php cron.phpSo, it is not possible to invoke the cron from the browser, it is executed via command line (ie. using PHP itself not via wget).
HTH+
But CLI mode doesn't have full environment
I guess there's sme difference between runing php via apache and via commnad line interface. In the latter case script dooesn't have any HTTP settings (for example domain or all features in settings.php file tied to domain), so it has no all information about the drupal instance. Or cron.php doesn't rquire them in any way?
Thank you!
All I can say is ...
All I can say is I'm using the above mentioned method in 2 different sites w/o problems. Probably, cron.php does not need anything dependent on base_url. It seems to me all output (if any) goes to the log.
If there was a problem, it would still be possible to use wget and still protect cron.php against foreign access by adding "allow from 127.0.0.1" to the .htccess block described above.
...
Without a correct $base_url, the url() function will fail to generate absolute URLs. This should especially concern you if some subscription module sends emails in hook_cron()... the URLs in the emails will faulty.
Variant...
I prefer to invoke it via http, so I am using this variant:
<Files "cron.php">Order deny,allow
Allow from name.of.this.machine
Allow from another.authorized.name.net
Allow from 127.0.0.1
Deny from all
</Files>
Now cron.php is run only if requested from the server.
Fine solution!
This is a very fine solution! The alternative (renaming cron.php) prevents cron to be used from Drupal's user interface. Additionally, "security by obscurity" should be kept outside of Open Source projects, think of our reputation! ;)
The only disadvantage I see is that it is a little harder to upgrade Drupal, because the changes in .htaccess are lost.
How could one put this into apache's httpd.conf? Or will this be ignored due to the .htaccess file?
...
That was the case in D 4.7.
In D 5.0 you can safely rename cron.php.
(but, yes, access control is a nicer soluiton.)
As is.
re: Secure cron.php
The cron module does not do anything that can be easily mis-used. It merely invokes module methods to see if anything is scheduled for updates and processes them. The most serious side effect is that some information might be updated in advance of your normally scheduled cron run, but only those updates which were already pending and ready to happen.
The only potential I can see for abuse is if any modules aren't prepared for race conditions and more than one cron is running simultaneously. This 'shouldn't happen' if the modules have been written correctly but is entirely possible given the large number of not-quite-stable modules and development projects going on.
Protecting it completely would involve configuration of your web server to disallow access to this page from any site but your own (the one running the cron daemon). If memory serves, this would require allow,deny rules if using Apache.
I am afraid of DoS attacks.
I am afraid of DoS attacks. tasks in cron.php should be time consuming, at least potentially, so it would be easy to slow down a server by calling it repeatedly. Not sure I am correct, but anyway another point is in principle I don't like the world can run my administrative routines...
This is not elegant or upgradeable...
Warning: This is not elegant or upgradeable...
You could also edit the cron.php so that a password is required for it to execute.
http://example.com/cron.php?password=mypassword
Then you use simple PHP to restrict or allow access to the rest of cron.php
Marcel
http://drupalhacks.com
http://drupalthemes.com - soon
Permissions?
I have set up cron like this:
19 */8 * * * /usr/local/bin/php pathtomysite/cron.php
Since this does not involve a browser (lynx, wget, curl ...) I should be able to set the permissions to 600. I am not sure if this will actually prevent it from being accessed through a webbrowser.
Andre
Command Line Solution.
This won't work with a mult-site install unfortunately.
Wouldn't the concerns about cron.php file be resolved if an administrator could just set how often they wanted cron to run and if the default config were set to return null if cron.php was loaded more than once a minute? That would both be a reasonable amount of time for most hyper active webhosts, but would also close down this concern about cron.php being used to DOS a site.
--
OpenConcept | WLP | FVC | OX | OO
I have read suggestions in
I have read suggestions in the forums of my hosting company about simply renaming cron.php to something else to avoid security issues.
renaming seems the simplest
It also works.
Upgrading issues also would not be a problem for a user who knew enough to change the name in the first place.
wellsy
orchidsonline.com.au
thanx, renaming seems to be a good solution here
hehe, i renamed and got rid of the cron.php problem,thanx :D
powered by Drupal www.universideliyiz.biz
I use a $_GET value, In the
I use a $_GET value, In the cron I use an if statement followed to check if the provided get value equals my code. On success it runs the cron else it doesn't. With my host config I enter the cron path with the get value attached. So, nobody except me or the host knows that it requires a get value. Works for me!
Ali Hammad Raza
WordsValley