Back to main OKUSON page

OKUSON security notice for version 1.3

(this is fixed in version 1.3-fix1)

For a short time there was a blog entry online that claimed to present a method to break into an OKUSON server (and so to access personal data of the course participants).

Main remark: Since an OKUSON service collects personal data, some care should be taken when choosing a computer for such a service. My general advise is to use a computer to which students or potentially untrusted users have no access. (We ourselves use a (virtual) dedicated machine for all OKUSON services to which only the resposible persons have access.) Similarly, the machines which are configured for administration access (in the <AdministrationAccessList> part of OKUSONs Config.xml) should be trusted machines.
If these conditions are fulfilled in your setup, then the mentioned blog entry does not apply to your installation.

If your students have access to some computer in your <AdministrationAccessList>: Then there is a theoretical possibility that a non-administrator gets access to the functionality of the administrator page in your OKUSON installation, that is the page .../adminmenu.html (it would in average take a few million of trial accesses to an OKUSON service on our machines, but this could be less on other machines). To make this impossible

Contact: Frank Lübeck.