Cluevo Security

  • Resolved mlapl1

    (@mlapl1)


    2 years, 1 month ago

    Dear All,
    I am wondering what measures are in place to secure content (uploaded SCORM files). I had suggested in the past that storing materials above the root of the server might be very good. In particular, I am concerned that if anyone manages to guess the location of the SCORM file, they may be able to see or download it. For example, if they guess: https://xyz.com/wp-content/uploads/cluevo/modules/scorm2004/cloze_lectora01/a001index.html (the index file for a SCORM module) they will be able to semi run the file despite LMS API errors.
    What suggestions do you have for securing access to this resource?
    Thank you for your help.
    Andrew
    PS I will ask another question separately about reporting of scores.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author CLUEVO

    (@cluevo)

    Hi Andrew,

    we have a (very) basic .htaccess security feature that should block direct access to any files within the modules directory. A determined individual could forge requests to these files but it should block any access by trial and error.
    Placing files outside the root directory is something we still have in our backlog and we do have some ideas on how to that it’s too soon to announce anything.

    Thread Starter mlapl1

    (@mlapl1)

    OK… thanks … so is this feature active now, because it did not seem to work when I clicked on the equivalent of the link you saw above? Or will you advise me and others presumably, how to do this (actually I think I know but I won’t discuss it here)?
    I know of course that, in a sense, nothing is secure on the net but at least you don’t give away the original product without a fight. Moodle does a good job with encryption plus storage outside the root directory. Or should we look at storage on Amazon or??? – it just complicates life too much.

    cheers
    andrew

    Plugin Author CLUEVO

    (@cluevo)

    There should be an option in the settings menu to enable this setting. It should also display if the .htaccess files are there. Of course the server configuration also has to allow this to work. If you try to access the files from say an incognito tab in your browser to simulate direct access (e.g. https://host/wp-content/uploads/cluevo/modules/scorm-2004/my-module//index_lms.html) you should receive a 403 forbidden response from the server.

    Alternatively, we’ve had clients that implemented checks inside the module itself. On starting the module it basically phoned home to a separate server to check if the access if authorized. I don’t have the technical details on how they implemented that though, I’ve just seen it done in a module.

    The thing with moodle is that it is it’s own system so they have a lot more flexibility on what they can do, while we have to be able to run on a wide variety of systems inside the WordPress system. Often users don’t even have the kind of permissions or access to do something like storing files outside the web root, so this is kind of a tricky thing for us to do.

    Thread Starter mlapl1

    (@mlapl1)

    Thank you for your response. I found the setting and it did stop unauthorized access (although with the expected limitations).
    As for the “phone-in” solution – it becomes too much. And yes I understand about moodle… thanks for the help.
    Andrew

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Cluevo Security’ is closed to new replies.