|Edit course env. file - security risk?||topic started 2/19/2002; 3:33:40 PM
last post 2/19/2002; 3:33:40 PM
|Zbigniew Fiedorowicz - Edit course env. file - security risk?
2/19/2002; 3:33:40 PM (reads: 686, responses: 0)
seems to me that the ability to edit the course environment file
webworkCourse.ph in the current version of WeBWorK adds new security
risks which were not present in previous versions of WeBWorK. Unless I
am mistaken, webworkCourse.ph can contain more or less arbitrary Perl
code which will run with the permissions of the web server.|
Under previous versions of WeBWorK, if an instructor's WeBWorK account were compromised, the intruder could only hose that particular WeBWorK course. With the ability to edit webworkCourse.ph, the intruder could obliterate all the WeBWorK courses on the server.