Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Trivial Trivial
    • Resolution: Won't Fix
    • Affects Version/s: 1.5
    • Fix Version/s: None
    • Component/s: Resource
    • Labels:
      None
    • Environment:
      All
    • Affected Branches:
      MOODLE_15_STABLE
    • Rank:
      6691

      Description

      The current web link authentication in Moodle has some serious drawbacks. See the following forum post for a discussion of these shortcomings and suggestions for a fix:

      http://moodle.org/mod/forum/discuss.php?d=18696

      Also Moodle should have a mechanism for responding to page requests from other Moodle sites via such links.

        Activity

        Hide
        Martin Dougiamas added a comment -

        From Martin Dougiamas (martin at moodle.com) Tuesday, 15 February 2005, 03:27 PM:

        I've responded on the forum about web link authentication.

        http://moodle.org/mod/forum/discuss.php?d=18696&parent=88871

        But I'm deeply suspicious (security-wise) of this new hack in login/index.php you've added to allow people to log in from the outside ... what's this all about? Can you explain it in detail?

        From Martin Dougiamas (martin at moodle.com) Tuesday, 15 February 2005, 03:35 PM:

        Having read it closer I see what you're getting at, but it needs to

        a) be compatible with how resources do it already

        b) have a nice admin GUI.

        From Petr Skoda (skodak at centrum.cz) Tuesday, 15 February 2005, 03:44 PM:

        Plese revert the changes, it does not seem to be secure. We should discuss it more at the security center.

        From Zbigniew Fiedorowicz (fiedorow at math.ohio-state.edu) Wednesday, 16 February 2005, 12:37 AM:

        I've now replaced the code with a stub, with the implementation delegated to another file. If the implementation file is absent, the code falls through and the login process behaves as before. I will be putting the implementation in the contrib/ section.

        The implementation I wrote only implements the back end of weblink authentication. I was planning to modify the resource module/file to implement the front end later. [I will also put the modifications in contrib/.]

        As to why I want to do this. I envision this as a means of implementing cross-listing of courses between different moodle servers.

        What security problems do you see with the code? Also I don't have a login on security.moodle.org

        From Petr Skoda (skodak at centrum.cz) Wednesday, 16 February 2005, 12:41 AM:

        create an account at security.moodle.org and I will enrol you

        From Zbigniew Fiedorowicz (fiedorow at math.ohio-state.edu) Wednesday, 16 February 2005, 01:35 AM:

        I've created an account on security.moodle.org

        Actually I think it would be quite trivial to hack course/view.php to implement cross listing of courses between Moodle sites. The idea would be that the cross listed course would have a bogus/skeleton course on the first server and redirect with weblink authentication to the other site where the actual course content resides. For now course information would have to be manually synchronized between the two sites, so it would be more a proof of concept rather than a permanent solution. However it could be built upon gradually to something quite usable.

        From Zbigniew Fiedorowicz (fiedorow at math.ohio-state.edu) Wednesday, 16 February 2005, 04:43 AM:

        Adding the following code to course/view.php just after the line require_login($course->id) implements the hack of my previous message:

        <pre>

        $remote_url = false;

        $resources = get_all_instances_in_course(resource, $course);

        foreach ($resources as $resource) {

        if ($resource->name == Redirect to remote server)

        { $remote_url = $resource->reference; break; }

        }

        if (!isadmin() & !isset($noremote) & $remote_url)

        { $clicktime = time(); $remote_url .= &username= . urlencode($USER->username) . &clicktime=$clicktime; $pwdauthentication = md5($USER->username . $clicktime . $USER->password); $remote_url .= &pwdauthentication=$pwdauthentication; redirect($url); }

        </pre>

        From Zbigniew Fiedorowicz (fiedorow at math.ohio-state.edu) Wednesday, 16 February 2005, 04:45 AM:

        Sorry slight correction. The conditional should be

        if (!(isadmin() & isset($noremote)) & $remote_url) {

        Show
        Martin Dougiamas added a comment - From Martin Dougiamas (martin at moodle.com) Tuesday, 15 February 2005, 03:27 PM: I've responded on the forum about web link authentication. http://moodle.org/mod/forum/discuss.php?d=18696&parent=88871 But I'm deeply suspicious (security-wise) of this new hack in login/index.php you've added to allow people to log in from the outside ... what's this all about? Can you explain it in detail? From Martin Dougiamas (martin at moodle.com) Tuesday, 15 February 2005, 03:35 PM: Having read it closer I see what you're getting at, but it needs to a) be compatible with how resources do it already b) have a nice admin GUI. From Petr Skoda (skodak at centrum.cz) Tuesday, 15 February 2005, 03:44 PM: Plese revert the changes, it does not seem to be secure. We should discuss it more at the security center. From Zbigniew Fiedorowicz (fiedorow at math.ohio-state.edu) Wednesday, 16 February 2005, 12:37 AM: I've now replaced the code with a stub, with the implementation delegated to another file. If the implementation file is absent, the code falls through and the login process behaves as before. I will be putting the implementation in the contrib/ section. The implementation I wrote only implements the back end of weblink authentication. I was planning to modify the resource module/file to implement the front end later. [I will also put the modifications in contrib/.] As to why I want to do this. I envision this as a means of implementing cross-listing of courses between different moodle servers. What security problems do you see with the code? Also I don't have a login on security.moodle.org From Petr Skoda (skodak at centrum.cz) Wednesday, 16 February 2005, 12:41 AM: create an account at security.moodle.org and I will enrol you From Zbigniew Fiedorowicz (fiedorow at math.ohio-state.edu) Wednesday, 16 February 2005, 01:35 AM: I've created an account on security.moodle.org Actually I think it would be quite trivial to hack course/view.php to implement cross listing of courses between Moodle sites. The idea would be that the cross listed course would have a bogus/skeleton course on the first server and redirect with weblink authentication to the other site where the actual course content resides. For now course information would have to be manually synchronized between the two sites, so it would be more a proof of concept rather than a permanent solution. However it could be built upon gradually to something quite usable. From Zbigniew Fiedorowicz (fiedorow at math.ohio-state.edu) Wednesday, 16 February 2005, 04:43 AM: Adding the following code to course/view.php just after the line require_login($course->id) implements the hack of my previous message: <pre> $remote_url = false; $resources = get_all_instances_in_course(resource, $course); foreach ($resources as $resource) { if ($resource->name == Redirect to remote server) { $remote_url = $resource->reference; break; } } if (!isadmin() & !isset($noremote) & $remote_url) { $clicktime = time(); $remote_url .= &username= . urlencode($USER->username) . &clicktime=$clicktime; $pwdauthentication = md5($USER->username . $clicktime . $USER->password); $remote_url .= &pwdauthentication=$pwdauthentication; redirect($url); } </pre> From Zbigniew Fiedorowicz (fiedorow at math.ohio-state.edu) Wednesday, 16 February 2005, 04:45 AM: Sorry slight correction. The conditional should be if (!(isadmin() & isset($noremote)) & $remote_url) {

          People

          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: