[Building Sakai] Is there a security concern about HTML files in resources ?
George Pipkin
gpp8p at virginia.edu
Fri Nov 5 09:18:39 PDT 2010
Hi Everybody -
I was discussing this with some other people here at U.Va., and I
wondered if the following
scenario might be a worrisome one:
A student submits an assignment by adding it to the Resources of a class
site - this could be
through drop-box or directly. The submission is an HTML document that
contains some
specially crafted java-script that extracts the session id of whoever
views the page and appends
it to a request URL contained in the page - probably an image URL. When
the page is viewed for
grading, the session id is thus transmitted to another server, and the
instructor doing the grading
is none the wiser. This session id is thus captured and used to log in,
go to Gradebook and
grades are changed.
Has anybody considered this ?
- George Pipkin
U.Va.
More information about the sakai-dev
mailing list