(this is fixed in version 1.3-fix1)
For a short time there was a blog entry online that claimed to present a method to break into an OKUSON server (and so to access personal data of the course participants).
Main remark: Since an OKUSON service collects personal data, some
care should be taken when choosing a computer for such a service. My general
advise is to use a computer to which students or potentially
untrusted users have
no access. (We ourselves use a (virtual) dedicated machine for all OKUSON
services to which only the resposible persons have access.)
Similarly, the machines which are configured for administration access
(in the <AdministrationAccessList>
part of OKUSONs
Config.xml
) should be trusted machines.
If these conditions are fulfilled in your setup, then the mentioned blog
entry does not apply to your installation.
If your students have access to some computer in your
<AdministrationAccessList>
:
Then there is a theoretical possibility that a non-administrator gets access
to the functionality of the administrator page in your OKUSON installation,
that is the page .../adminmenu.html
(it would in average
take a few million of trial accesses to an OKUSON service on our machines,
but this could be less
on other machines). To make this impossible
server/Webworkers.py in your OKUSON installation:
--- WebWorkers.py.orig 2010-03-26 13:57:31.000000000 +0100
+++ WebWorkers.py 2014-05-19 12:58:01.895984630 +0200
@@ -2805,8 +2805,8 @@
if passwd != Config.conf['AdministratorPassword']:
return Delegate('/errors/wrongpasswd.html',req,onlyhead)
- random.seed(time.time())
- currentcookie = str(random.randrange(10000000))
+ random.seed(os.urandom(200))
+ currentcookie = str(random.getrandbits(200))
handler = EH_Generic_class()
handler.iamadmin = 1
and then restart
OKUSON.
The problem with the original code is that guessing the cookie of a
logged in administrator is not completely impossible (this was noticed by
Tobias Boelter).
Contact: Frank Lübeck.