A Threats Blocking Plug-in for Open Source Learning Management Systems
Web-based Learning Management Systems, as in the nature of web-applications, are subject to attacks delivered through Internet, mainly aiming at accessing restricted data for illegal use. Protection from these kinds of threats is studied in the area of web applications and has been steadily improving in the last years. Nonetheless, especially in the area of very popular and easy-to-install web applications, such as Content Managements Systems, Blogs, and open source Learning Management Systems, the usual way to protect an installed system is to wait that weaknesses in the system software are discovered, and “patches” or new system releases are made available for installation. And this can be necessary also in cases in which no new threat technique has been discovered, while just another part of the system software has been detected as “weak” to that type of attack. Here we give an account of the most usual “exploit” techniques, known to be available, and describe a prototype methodology to equip certain Learning Management Systems (namely the open source ones, in particular those based on PHP engines) with a more stable protection, making it unnecessary to patch, or reinstall, a system in a hurry, after that minor weaknesses have been unveiled. The plug-in for a system is supposed to filter the input, sent by the user through a browser, and to avoid execution of server activities on suspect data. We test the methodology on Moodle, by producing a suitable plug-in, and verifying its success at system run-time.
Unable to display preview. Download preview PDF.
- 1.Hope, P., Walther, B.: Web Security Testing Cookbook: Systematic Techniques to Find Problems Fast. O’Reilly, Sebastopol (2008)Google Scholar
- 2.Kurose, R.: Computer networking: a top-down approach. Addison-Wesley, Reading (2009)Google Scholar
- 3.OWASP. A Guide to Building Secure Web Applications and Web Services, http://www.owasp.org/index.php/Category:OWASP_Guide_Project
- 4.OWASP. Owasp Testing Guide v3, http://www.owasp.org/index.php/Category:OWASP_Testing_Project
- 5.AA.VV. ModSecurity web site, http://www.modsecurity.org
- 6.AA.VV. php-ids web site, http://php-ids.org
- 7.AA.VV. PHP Scripting Language. Main reference, http://www.php.net
- 8.AAVV. Moodle Learning Management System. Main reference, http://www.moodle.org
- 9.AA.VV. Wapity scanner web site, http://wapiti.sourceforge.net/