Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-2160

Gradebook AuthZ filter not working

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: CLOSED
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.0.1
    • Fix Version/s: 2.1.0
    • Component/s: Gradebook Classic
    • Labels:
      None

      Description

      Verified below report on UCB's 2.0 QA instance.

      We found a security related bug yesterday in Assignments, and it appears to exist in Gradebook and Syllabus as well. Very obscure, and hard to see how a student could uncover it, but it's there nonetheless, and one of our QA folks thought of it, so... It allows students to change their grade in Assignment or Gradebook, or edit a Syllabus item. A student could I suppose install Sakai themselves, and in fooling around discover a back door to enabling them to get to otherwise unpermitted edit pages.

      They can do this by pasting in the equivalent of the instructor's URL to the grade page or syllabus edit page.

      So as an instructor, go to the Gradebook, and right click over one of the assignments in the list and save the URL.
      Logout, and log back in with a student account. Paste the URL in and you can get to where you can change grades.

      Someone would have to know the format of the URL etc., so not likely. You'd have to be an instructor to get it.
      https://ctools.umich.edu/portal/tool/35512628-bb7e-4218-804b-371268b3ba9d/overview#
      But if someone installed their own private Sakai, and was fooling around, they might come across it, and the next day it's on a Sakai hack website, and the next day students everywhere just got smarter.

      Zhen just checked in a fix (2156) to the problem in assignments. Perhaps she can provide add'l info if needed. There is talk of a 2.0.1 'official' patch, w/ notification sent to contacts only of those running pilots to try to keep knowledge of the problem contained.

      John

        Gliffy Diagrams

          Zeplin

            Attachments

              Activity

                People

                Assignee:
                oheyer Oliver Heyer (Inactive)
                Reporter:
                oheyer Oliver Heyer (Inactive)
                Votes:
                0 Vote for this issue
                Watchers:
                0 Start watching this issue

                  Dates

                  Created:
                  Updated:
                  Resolved:

                    Git Integration