[ww-devel] [rt.webwork.maa.org #9598] Question Regarding My Webwork HW, including my entire name and college being posted to the internet without my permission
Glenn Rice
grice1 at missouriwestern.edu
Mon Feb 10 17:53:43 EST 2020
Danny seems to hit on the real problem here. The TTU server has
directory browsing enabled. By default apache2 does this, but for a
secure server it should be disabled. To disable directory browsing for
apache2 edit /etc/apache2/apache2.conf and remove "Indexes" from the
root directory settings.
The default settings look something like the following:
<Directory />
Options Indexes FollowSymLinks
AllowOverride None
Require all denied
</Directory>
Perhaps this should be added to the installation documentation for
webwork. Of course this still doesn't solve the issue if someone the
exact path to a file.
Glenn
On 2/10/20 4:43 PM, Danny Glin wrote:
> A couple of points:
>
> 1. It looks like there is a configuration issue with the TTU server
> which allows temporary directory contents to be viewed from the
> web. For example if I visit https://webwork.math.ttu.edu/wwtmp/ I
> am able to navigate through any of the tmp directories. When I
> try this on my server, I get a landing page telling me that I
> shouldn’t be there, and if I try to view a subdirectory I get a
> 403 Forbidden error. This configuration difference is likely why
> google was able to index the tmp files on the TTU server. Adding
> a robots.txt file as Mike suggests would be another layer of
> protection to try to prevent these files from showing up on
> google. Even with these fixes, someone who knows the exact path
> to a hardcopy file would still be able to access it. Having a
> cron job periodically delete these mitigates, but does not solve
> the issue.
>
> 2. I had the same initial reaction as Tani regarding temporary files
> containing PPI; I took a quick look at the files served from the
> htdocs/tmp directory, and it looks like it is only image files and
> pdf hardcopies of homework sets. I can’t think of a scenario
> where an image related to a webwork exercise would contain PPI.
> If that is the case, then it is just the hardcopy pdfs that are
> at issue. Tani’s solution is probably the appropriate one.
>
>
> Danny
>
>> On Feb 9, 2020, at 3:06 PM, Nathan Wallach <taniwallach at gmail.com
>> <mailto:taniwallach at gmail.com>> wrote:
>>
>> 1. "We" actually just leaked this persons name + email address + some
>> of his personal situation (from the request) not only to the
>> recipients of this list but via the public archive at:
>> http://webwork.maa.org/pipermail/webwork-devel/ . I edited the older
>> mails below so this message does not repeat that. Can someone
>> manually edit the email archive to clean up the prior postst?
>>
>> 2. I think that Arnie's idea may be a very good thing to consider -
>> as we want WeBWorK to be compliant with the best practices of
>> protecting personal information, so files which are intended to
>> include such information should not be created as
>> publicly available files even if hidden away under some random
>> looking paths, if at all possible.
>>
>> Overall, AFAIK, most supporting material (images - standard or
>> custom, CSS files, JavaScript files) served as static content (at
>> least once generated) is not going to contain any PII (personally
>> identifiable information), while most WeBWorK pages which do contain
>> PII are dynamically generated for a logged in user.
>>
>> The obvious exception (not that someone pointed a finger at it) seems
>> to be the "hardcopy" files.
>>
>> At least one type of "specially generated files' - scoring files -
>> seem to be available only to a logged in user. Ex: In order to
>> download the CSV grading file I see a link like:
>>
>> https://hostname.domain/webwork2/courseID/instructor/scoringDownload/?user=username&key=session_key&getFile=courseID_totals.csv&effectiveUser=username
>>
>> and the CSV file itself is not under htdocs/tmp but instead
>> under courses/courseID/scoring/ so does not seem to be something
>> which can be severed without being authenticated and authorized by
>> the WW code.
>>
>> The processing seems to be handled
>> by lib/WeBWorK/ContentGenerator/Instructor/ScoringDownload.pm which
>> is activated by suitable code in lib/WeBWorK/URLPath.pm.
>>
>> I suspect that a similar approach would provide a more secure means
>> to distributing the PDF files, and the expense of needing to manage a
>> new location for temporary files which should be periodically cleaned
>> out and otherwise managed, and the expense of needing to have the WW
>> code (and not lighttpd) server them.
>>
>> What do other people think?
>>
>> Tani
>>
>> On Sun, Feb 9, 2020 at 9:54 PM Arnold Pizer
>> <apizer at math.rochester.edu <mailto:apizer at math.rochester.edu>> wrote:
>>
>> Also maybe there is a more secure way to serve PDF files than we
>> are doing.
>>
>> Arnie
>>
>> On Sat, Feb 8, 2020, 8:48 PM mgage <gage at math.rochester.edu
>> <mailto:gage at math.rochester.edu>> wrote:
>>
>> This was on a TTU server. And I expect you are right Arnie
>> about the set up.
>> Perhaps we should recommend a no-robots file as well.
>>
>> Take care,
>>
>> Mike
>>
>>> On Feb 8, 2020, at 10:19 PM, Arnold Pizer
>>> <apizer at math.rochester.edu
>>> <mailto:apizer at math.rochester.edu>> wrote:
>>>
>>> Hi,
>>>
>>> I assume when the new server was set up, cron jobs to remove
>>> temporary files were not set up. See
>>> "Using Cron Jobs to remove temporary files" in
>>> http://webwork.maa.org/wiki/Clean_Out_Temporary_Files
>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__webwork.maa.org_wiki_Clean-5FOut-5FTemporary-5FFiles&d=DwMFaQ&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=C6Pt5AGtImanmAdcooarL-JZO8M5dSFPfs3VweYXYkE&m=5f5rqa1luO7vd88zzi7pwIZ5Jd6wUbZSt9L6UTRGcNI&s=jRXCdpwzh-o5w-8JDJ0vGvcmMjMtZ5gHgVAoe8Dsn9E&e=>
>>>
>>> Arnie
>>>
>>> On Sat, Feb 8, 2020 at 11:45 AM mgage
>>> <gage at math.rochester.edu <mailto:gage at math.rochester.edu>>
>>> wrote:
>>>
>>> Hi Michael,
>>>
>>> Who is keeping track of notices like the one below at
>>> MAA? In my opinion this is part of customer service.
>>> Were you aware of the notice?
>>> This message at least deserves investigation and a
>>> response.
>>>
>>> Longer term issue, you were going to send me a link to
>>> who ever at MAA is overseeing customer
>>> relations vis-a-vis webwork hosting so that we can start
>>> coordinating the handling of issues such as this one.
>>>
>>>
>>> Take care,
>>>
>>> Mike
>>>
>>>
>>>> Begin forwarded message:
>>>>
>>>> *From:*"NAME REMOVED via RT" <rt at webwork.maa.org
>>>> <mailto:rt at webwork.maa.org>>
>>>> *Subject:**[rt.webwork.maa.org
>>>> <https://urldefense.proofpoint.com/v2/url?u=http-3A__rt.webwork.maa.org&d=DwMFAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=5ziiSJ3DOoTGqPl6nDxUAfldhiKwv6gUXIwGkofE3Yo&m=eZcMPCVzKnEER1uYMrvYQAHyxcJzjwR-4UM_z49vs-0&s=YguAJmYekTxbaUhi1Wt5AdBEB93g16oHv4FhQblXuqc&e=>#9598]
>>>> Question Regarding My Webwork HW, including my entire
>>>> name and college being posted to the internet without
>>>> my permission*
>>>> *Date:*February 5, 2020 at 11:18:17 PM EST
>>>> *Reply-To:*"rt at webwork.maa.org
>>>> <mailto:rt at webwork.maa.org>" <rt at webwork.maa.org
>>>> <mailto:rt at webwork.maa.org>>
>>>>
>>>>
>>>> Wed Feb 05 23:18:16 2020: Request 9598 was acted upon.
>>>> Transaction: Ticket created by EMAIL ADDRESS REMOVED
>>>> Queue: General
>>>> Subject: Question Regarding My Webwork HW,
>>>> including my entire name and college being posted to
>>>> the internet without my permission
>>>> Owner: Nobody
>>>> Requestors: EMAIL ADDRESS REMOVED
>>>> Status: new
>>>> Ticket
>>>> <URL:https://urldefense.proofpoint.com/v2/url?u=http-3A__rt.webwork.maa.org_Ticket_Display.html-3Fid-3D9598&d=DwIDaQ&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=C6Pt5AGtImanmAdcooarL-JZO8M5dSFPfs3VweYXYkE&m=SVuCKwIQm6GsdPRvPeC4ukQK3r6ikdCIJ28_2yzDw_U&s=pDq8D7UprDAYEH67RMxGX4yps3hK183SfCWLyPwz7Fw&e= >
>>>>
>>>>
>>>> Hello,
>>>>
>>>> TEXT DELETED I was on google and shocked that Webwork
>>>> homework assignments I saved to my personal computer
>>>> appeared in a PUBLIC google search. I am flabbergasted
>>>> and I have no idea how to remove them. TEXT REMOVED
>>>> What can be done to remove them from Google?
>>>
>>>>
>>>> Thank you,
>>>> NAME REMOVED
>>>
>>> _______________________________________________
>>> webwork-devel mailing list
>>> webwork-devel at webwork.maa.org
>>> <mailto:webwork-devel at webwork.maa.org>
>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__webwork.maa.org_mailman_listinfo_webwork-2Ddevel&d=DwICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=5ziiSJ3DOoTGqPl6nDxUAfldhiKwv6gUXIwGkofE3Yo&m=eZcMPCVzKnEER1uYMrvYQAHyxcJzjwR-4UM_z49vs-0&s=usc0JomieRdeU7o82gx6BI_gGWHbdDrDsEGuv-jwzeI&e=
>>>
>>>
>>>
>>> --
>>> Prof. Arnold K. Pizer
>>> Dept. of Mathematics
>>> University of Rochester
>>> Rochester, NY 14627
>>> (585) 766-8812
>>> _______________________________________________
>>> webwork-devel mailing list
>>> webwork-devel at webwork.maa.org
>>> <mailto:webwork-devel at webwork.maa.org>
>>> https://urldefense.proofpoint.com/v2/url?u=http-3A__webwork.maa.org_mailman_listinfo_webwork-2Ddevel&d=DwICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=C6Pt5AGtImanmAdcooarL-JZO8M5dSFPfs3VweYXYkE&m=5f5rqa1luO7vd88zzi7pwIZ5Jd6wUbZSt9L6UTRGcNI&s=n_FBqL96JIR1wL_KIDbaaLu-mX_wszEHRDq3ZslPdf4&e=
>>
>> _______________________________________________
>> webwork-devel mailing list
>> webwork-devel at webwork.maa.org
>> <mailto:webwork-devel at webwork.maa.org>
>> https://urldefense.proofpoint.com/v2/url?u=http-3A__webwork.maa.org_mailman_listinfo_webwork-2Ddevel&d=DwICAg&c=kbmfwr1Yojg42sGEpaQh5ofMHBeTl9EI2eaqQZhHbOU&r=5ziiSJ3DOoTGqPl6nDxUAfldhiKwv6gUXIwGkofE3Yo&m=kivyjenc9roUxS9254suawYeR0J8WefsrgxM22uey5c&s=7U3-rKckcFCJ9h-1ZnkLBkaRQRFkd3ghl4YJYBKBp1c&e=
>>
>> _______________________________________________
>> webwork-devel mailing list
>> webwork-devel at webwork.maa.org <mailto:webwork-devel at webwork.maa.org>
>> http://webwork.maa.org/mailman/listinfo/webwork-devel
>>
>> _______________________________________________
>> webwork-devel mailing list
>> webwork-devel at webwork.maa.org <mailto:webwork-devel at webwork.maa.org>
>> http://webwork.maa.org/mailman/listinfo/webwork-devel
>
>
> _______________________________________________
> webwork-devel mailing list
> webwork-devel at webwork.maa.org
> http://webwork.maa.org/mailman/listinfo/webwork-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://webwork.maa.org/pipermail/webwork-devel/attachments/20200210/c9713aae/attachment-0001.html>
More information about the webwork-devel
mailing list