JiscMail Logo
Email discussion lists for the UK Education and Research communities

Help for VLE Archives


VLE Archives

VLE Archives


VLE@JISCMAIL.AC.UK


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font

LISTSERV Archives

LISTSERV Archives

VLE Home

VLE Home

VLE  February 2008

VLE February 2008

Options

Subscribe or Unsubscribe

Subscribe or Unsubscribe

Log In

Log In

Get Password

Get Password

Subject:

Re: VLE Security Vulnerability

From:

Jon Maber <[log in to unmask]>

Reply-To:

Virtual Learning Environments <[log in to unmask]>

Date:

Mon, 4 Feb 2008 19:26:15 +0000

Content-Type:

text/plain

Parts/Attachments:

Parts/Attachments

text/plain (92 lines)

Further to my earlier posting.  Investigation leads me to believe that 
the same basic vulnerability may exist in other VLE software products 
both commercial and open source in addition to the one that was reported 
to me last month. 

I have started work on a suitable fix for VLEs based on the Java Servlet 
specification - I'm afraid this may take a while since I have no access 
to funding.  I will _not_ be releasing the fix as open source since 
analysis of the source code will in effect make public the vulnerability 
which it addresses.  However, I will make it available to my own current 
and past clients at no cost in the form of plug-in binary code on 
condition that it isn't redistributed or reverse engineered.  I may 
choose to release the source code at some point in the future when the 
vendors of other products have had time to make their own fixes.

While trying to avoid giving away too much information in a public forum 
I would like to impress on developers of other VLE software the urgency 
of reviewing security in their own products.  If you are a lead 
developer and I can verify that you are a lead developer I will provide 
more information in confidence - enough to allow you to determine if 
your own product is vulnerable.  Any server side application which for 
any reason collects data from users for display to other users (e.g. a 
message board, questionnaire etc.), which allows users to upload web 
pages or fragments of HTML and which also makes use of a certain popular 
method of user authentication may be at risk.

Sooner or later full details of which software products are vulnerable 
and methods for exploitation will leak out.  Therefore speed is of the 
essence.

Getting back to advice for sysadmins - there may be some danger that the 
VLE might open up access to other campus systems  - if you are using 
certain low-security types of single sign-on technique.  At least review 
the security offered by the single sign-on system that you are using and 
if necessary consider a switch to something better.  If your VLE itself 
provides a gateway onto student personal data (e.g. address, date of 
birth or national insurance number) I would seriously recommend that you 
consider suspending that functionality for the time being.  Making as 
much obligatory use as possible of X509.3 digital certificates for 
authentication to sensitive databases is advisable since this is a 
proven high-security method and the development of necessary 
infrastructure has been well supported by JISC and other organizations.  
Some UK universities have considerable in-house expertise in the use of 
digital certificates and have published very valuable information on 
implementing them on a large scale. 

Jon


Jon Maber wrote:
> A brief heads-up for VLE administrators.
>
> I learned today that one of the major commercial VLE products has a 
> massive security hole in it which will allow a user with minimal 
> security rights to hijack a more privileged user's account and 
> possibly also log in to other enterprise systems in the same domain 
> such as student information systems.  The obvious malicious use would 
> be for a student to edit his or her own marks but it could also be 
> used to access personal details of other students for use in student 
> loan fraud etc.  Exploiting the vulnerability requires some technical 
> expertise - at about the level of an average computer science 
> undergraduate.
>
> I can't give further details since the vendor has not yet come up with 
> a decent fix (although I understand that they have known about the 
> vulnerability for at least a month.)  My contact says that the vendor 
> has provided hes university with some interim patches which are only 
> partly effective.  I would hope that their other customers have been 
> told about these patches.  My advice is that whatever product you are 
> using you should contact the vendor and ask for the latest patches and 
> repeat this frequently - there are likely to be a long series of 
> 'sticking plaster' patches before the definitive solution is 
> developed.  I'll give more information if I find out that a proper fix 
> has been produced and distributed to customers.
>
> If you know all about this please don't identify the vendor, the 
> product or the nature of the vulnerability on the list since this 
> could leak out and provide hackers with valuable information.
>
> Jon Maber
>
> ***************** List information: *****************
> Remember - replies go by default to the entire list.
> Access the list via the web on http://www.jiscmail.ac.uk/lists/vle.html
> To unsubscribe, email [log in to unmask] with the message: leave vle
>

***************** List information: *****************
Remember - replies go by default to the entire list.
Access the list via the web on http://www.jiscmail.ac.uk/lists/vle.html
To unsubscribe, email [log in to unmask] with the message: leave vle

Top of Message | Previous Page | Permalink

JiscMail Tools


RSS Feeds and Sharing


Advanced Options


Archives

January 2024
December 2023
October 2023
September 2023
June 2023
May 2023
March 2023
February 2023
January 2023
November 2022
October 2022
September 2022
August 2022
July 2022
June 2022
May 2022
February 2022
November 2021
September 2021
July 2021
June 2021
May 2021
April 2021
March 2021
February 2021
January 2021
December 2020
November 2020
September 2020
August 2020
June 2020
May 2020
April 2020
March 2020
February 2020
January 2020
December 2019
November 2019
October 2019
September 2019
August 2019
July 2019
June 2019
May 2019
April 2019
March 2019
February 2019
January 2019
December 2018
November 2018
October 2018
September 2018
August 2018
July 2018
June 2018
May 2018
April 2018
March 2018
February 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
November 2016
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016
December 2015
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
2004
2003
2002
2001


JiscMail is a Jisc service.

View our service policies at https://www.jiscmail.ac.uk/policyandsecurity/ and Jisc's privacy policy at https://www.jisc.ac.uk/website/privacy-notice

For help and support help@jisc.ac.uk

Secured by F-Secure Anti-Virus CataList Email List Search Powered by the LISTSERV Email List Manager