| topic started 2/19/2002; 3:33:40 PM last post 2/19/2002; 3:33:40 PM |
2/19/2002; 3:33:40 PM (reads: 686, responses: 0) |
| It
seems to me that the ability to edit the course environment file
webworkCourse.ph in the current version of WeBWorK adds new security
risks which were not present in previous versions of WeBWorK. Unless I
am mistaken, webworkCourse.ph can contain more or less arbitrary Perl
code which will run with the permissions of the web server. Under previous versions of WeBWorK, if an instructor's WeBWorK account were compromised, the intruder could only hose that particular WeBWorK course. With the ability to edit webworkCourse.ph, the intruder could obliterate all the WeBWorK courses on the server. Zig Fiedorowicz |