[Building Sakai] Is there a security concern about HTML files in resources ?
Sean DeMonner
demonner at umich.edu
Fri Nov 5 10:29:06 PDT 2010
Hi George,
Suspected/potential security concerns should be addressed to the security at sakaifoundation.org mail per the Sakai Foundation Security Policy which may be found here:
http://confluence.sakaiproject.org/display/DOC/Security+Policy
Thanks,
SMD.
On Nov 5, 2010, at 12:18 PM, George Pipkin wrote:
> Hi Everybody -
>
> I was discussing this with some other people here at U.Va., and I
> wondered if the following
> scenario might be a worrisome one:
>
> A student submits an assignment by adding it to the Resources of a class
> site - this could be
> through drop-box or directly. The submission is an HTML document that
> contains some
> specially crafted java-script that extracts the session id of whoever
> views the page and appends
> it to a request URL contained in the page - probably an image URL. When
> the page is viewed for
> grading, the session id is thus transmitted to another server, and the
> instructor doing the grading
> is none the wiser. This session id is thus captured and used to log in,
> go to Gradebook and
> grades are changed.
>
> Has anybody considered this ?
>
>
> - George Pipkin
> U.Va.
====================================================
Sean DeMonner, Assistant Director, Teaching & Learning, AIS, ITS
3350 Duderstadt Center, University of Michigan (734) 615-9765
More information about the sakai-dev
mailing list