[ww-devel] [rt.webwork.maa.org #9598] Question Regarding My Webwork HW, including my entire name and college being posted to the internet without my permission

Danny Glin dlglin at ucalgary.ca
Mon Feb 10 17:43:22 EST 2020 

A couple of points:


  1.  It looks like there is a configuration issue with the TTU server which allows temporary directory contents to be viewed from the web.  For example if I visit https://webwork.math.ttu.edu/wwtmp/ I am able to navigate through any of the tmp directories.  When I try this on my server, I get a landing page telling me that I shouldn’t be there, and if I try to view a subdirectory I get a 403 Forbidden error.  This configuration difference is likely why google was able to index the tmp files on the TTU server.  Adding a robots.txt file as Mike suggests would be another layer of protection to try to prevent these files from showing up on google.  Even with these fixes, someone who knows the exact path to a hardcopy file would still be able to access it.  Having a cron job periodically delete these mitigates, but does not solve the issue.

  2.  I had the same initial reaction as Tani regarding temporary files containing PPI;  I took a quick look at the files served from the htdocs/tmp directory, and it looks like it is only image files and pdf hardcopies of homework sets.  I can’t think of a scenario where an image related to a webwork exercise would contain PPI.  If that is the case, then it is just the hardcopy pdfs that are at issue.  Tani’s solution is probably the appropriate one.

Danny

On Feb 9, 2020, at 3:06 PM, Nathan Wallach <taniwallach at gmail.com<mailto:taniwallach at gmail.com>> wrote:

1. "We" actually just leaked this persons name + email address + some of his personal situation (from the request) not only to the recipients of this list but via the public archive at:  http://webwork.maa.org/pipermail/webwork-devel/ . I edited the older mails below so this message does not repeat that. Can someone manually edit the email archive to clean up the prior postst?

2. I think that Arnie's idea may be a very good thing to consider  - as we want WeBWorK to be compliant with the best practices of protecting personal information, so files which are intended to include such information should not be created as publicly available files even if hidden away under some random looking paths, if at all possible.

Overall, AFAIK, most supporting material (images - standard or custom, CSS files, JavaScript files) served as static content (at least once generated) is not going to contain any PII (personally identifiable information), while most WeBWorK pages which do contain PII are dynamically generated for a logged in user.

The obvious exception (not that someone pointed a finger at it) seems to be the "hardcopy" files.

At least one type of "specially generated files' - scoring files - seem to be available only to a logged in user. Ex: In order to download the CSV grading file I see a link like:

https://hostname.domain/webwork2/courseID/instructor/scoringDownload/?user=username&key=session_key&getFile=courseID_totals.csv&effectiveUser=username

and the CSV file itself is not under htdocs/tmp but instead under courses/courseID/scoring/ so does not seem to be something which can be severed without being authenticated and authorized by the WW code.

The processing seems to be handled by lib/WeBWorK/ContentGenerator/Instructor/ScoringDownload.pm which is activated by suitable code in lib/WeBWorK/URLPath.pm.

I suspect that a similar approach would provide a more secure means to distributing the PDF files, and the expense of needing to manage a new location for temporary files which should be periodically cleaned out and otherwise managed, and the expense of needing to have the WW code (and not  lighttpd) server them.

What do other people think?

Tani

On Sun, Feb 9, 2020 at 9:54 PM Arnold Pizer <apizer at math.rochester.edu<mailto:apizer at math.rochester.edu>> wrote:
Also maybe there is a more secure way to serve PDF files than we are doing.

Arnie

On Sat, Feb 8, 2020, 8:48 PM mgage <gage at math.rochester.edu<mailto:gage at math.rochester.edu>> wrote:
This was on a TTU server.  And I expect you are right Arnie about the set up.
Perhaps we should recommend a no-robots file as well.

Take care,

Mike

On Feb 8, 2020, at 10:19 PM, Arnold Pizer <apizer at math.rochester.edu<mailto:apizer at math.rochester.edu>> wrote:

Hi,

I assume when the new server was set up, cron jobs to remove temporary files were not set up.  See
 "Using Cron Jobs to remove temporary files" in
http://webwork.maa.org/wiki/Clean_Out_Temporary_Files<https://urldefense.proofpoint.com/v2/url?u=http-3A__webwork.maa.org_wiki_Clean-5FOut-5FTemporary-5FFiles&d=DwMFaQ&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=C6Pt5AGtImanmAdcooarL-JZO8M5dSFPfs3VweYXYkE&m=5f5rqa1luO7vd88zzi7pwIZ5Jd6wUbZSt9L6UTRGcNI&s=jRXCdpwzh-o5w-8JDJ0vGvcmMjMtZ5gHgVAoe8Dsn9E&e=>

Arnie

On Sat, Feb 8, 2020 at 11:45 AM mgage <gage at math.rochester.edu<mailto:gage at math.rochester.edu>> wrote:
Hi Michael,

Who is keeping track of notices like the one below at MAA? In my opinion this is part of customer service.  Were you aware of the notice?
This message at least deserves investigation and a response.

Longer term issue, you were going to send me a link to who ever at MAA is overseeing customer
relations vis-a-vis webwork hosting so that we can start coordinating the handling of issues such as this one.



Take care,

Mike


Begin forwarded message:

From: "NAME REMOVED via RT" <rt at webwork.maa.org<mailto:rt at webwork.maa.org>>
Subject: [rt.webwork.maa.org<https://urldefense.proofpoint.com/v2/url?u=http-3A__rt.webwork.maa.org&d=DwMFAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=5ziiSJ3DOoTGqPl6nDxUAfldhiKwv6gUXIwGkofE3Yo&m=eZcMPCVzKnEER1uYMrvYQAHyxcJzjwR-4UM_z49vs-0&s=YguAJmYekTxbaUhi1Wt5AdBEB93g16oHv4FhQblXuqc&e=> #9598] Question Regarding My Webwork HW, including my entire name and college being posted to the internet without my permission
Date: February 5, 2020 at 11:18:17 PM EST
Reply-To: "rt at webwork.maa.org<mailto:rt at webwork.maa.org>" <rt at webwork.maa.org<mailto:rt at webwork.maa.org>>


Wed Feb 05 23:18:16 2020: Request 9598 was acted upon.
Transaction: Ticket created by EMAIL ADDRESS REMOVED
      Queue: General
    Subject: Question Regarding My Webwork HW, including my entire name and college being posted to the internet without my permission
      Owner: Nobody
 Requestors: EMAIL ADDRESS REMOVED
     Status: new
Ticket <URL: https://urldefense.proofpoint.com/v2/url?u=http-3A__rt.webwork.maa.org_Ticket_Display.html-3Fid-3D9598&d=DwIDaQ&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=C6Pt5AGtImanmAdcooarL-JZO8M5dSFPfs3VweYXYkE&m=SVuCKwIQm6GsdPRvPeC4ukQK3r6ikdCIJ28_2yzDw_U&s=pDq8D7UprDAYEH67RMxGX4yps3hK183SfCWLyPwz7Fw&e=  >


Hello,

TEXT DELETED I was on google and shocked that Webwork homework assignments I saved to my personal computer appeared in a PUBLIC google search.  I am flabbergasted and I have no idea how to remove them.  TEXT REMOVED What can be done to remove them from Google?

Thank you,
NAME REMOVED

_______________________________________________
webwork-devel mailing list
webwork-devel at webwork.maa.org<mailto:webwork-devel at webwork.maa.org>
https://urldefense.proofpoint.com/v2/url?u=http-3A__webwork.maa.org_mailman_listinfo_webwork-2Ddevel&d=DwICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=5ziiSJ3DOoTGqPl6nDxUAfldhiKwv6gUXIwGkofE3Yo&m=eZcMPCVzKnEER1uYMrvYQAHyxcJzjwR-4UM_z49vs-0&s=usc0JomieRdeU7o82gx6BI_gGWHbdDrDsEGuv-jwzeI&e=


--
Prof. Arnold K. Pizer
Dept. of Mathematics
University of Rochester
Rochester, NY 14627
(585) 766-8812
_______________________________________________
webwork-devel mailing list
webwork-devel at webwork.maa.org<mailto:webwork-devel at webwork.maa.org>
https://urldefense.proofpoint.com/v2/url?u=http-3A__webwork.maa.org_mailman_listinfo_webwork-2Ddevel&d=DwICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=C6Pt5AGtImanmAdcooarL-JZO8M5dSFPfs3VweYXYkE&m=5f5rqa1luO7vd88zzi7pwIZ5Jd6wUbZSt9L6UTRGcNI&s=n_FBqL96JIR1wL_KIDbaaLu-mX_wszEHRDq3ZslPdf4&e=

_______________________________________________
webwork-devel mailing list
webwork-devel at webwork.maa.org<mailto:webwork-devel at webwork.maa.org>
https://urldefense.proofpoint.com/v2/url?u=http-3A__webwork.maa.org_mailman_listinfo_webwork-2Ddevel&d=DwICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=5ziiSJ3DOoTGqPl6nDxUAfldhiKwv6gUXIwGkofE3Yo&m=kivyjenc9roUxS9254suawYeR0J8WefsrgxM22uey5c&s=7U3-rKckcFCJ9h-1ZnkLBkaRQRFkd3ghl4YJYBKBp1c&e=
_______________________________________________
webwork-devel mailing list
webwork-devel at webwork.maa.org<mailto:webwork-devel at webwork.maa.org>
http://webwork.maa.org/mailman/listinfo/webwork-devel
_______________________________________________
webwork-devel mailing list
webwork-devel at webwork.maa.org<mailto:webwork-devel at webwork.maa.org>
http://webwork.maa.org/mailman/listinfo/webwork-devel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://webwork.maa.org/pipermail/webwork-devel/attachments/20200210/30fda607/attachment-0001.html>

More information about the webwork-devel mailing list