Uploaded image for project: 'Opencast'
  1. MH-12840

LTI user provider may allow LMS admins to become Opencast admins

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed and reviewed
    • Affects versions: 3.0, 3.1, 3.2, 3.3, 3.4, 3.5, 4.0, 4.1, 4.2
    • Fix versions: 3.6, 4.4, 5.0
    • Labels:
      None
    • Severity:
      Security
    • Steps to reproduce:
      Hide
      Matthias Neugebauer
      AttachmentsApr 17 (3 days ago)
      to security
      Hi,

      The LTI documentation currently reads:

      To give LMS users the same username in Opencast as the LMS username, uncomment the constructor arguments below and update CONSUMERKEY to the same key used above:
      https://docs.opencast.org/r/5.x/admin/modules/ltimodule/

      We use Opencast in this configuration so that the role provider can load additional roles. I have read the LTI
      authentication code multiple times, but it never occurred to me that Opencast trusts the provided username
      even for users like admin or opencast_system_account. I know that this a configuration problem, but in my
      opinion it is quite surprising that the LMS admin could become the Opencast admin through LTI.

      The attached patch adds an additional String parameter to the LtiLaunchAuthenticationHandler, which contains
      an RegEx. Usernames that match will be rewritten like in the untrusted LTI configuration. The patch configures
      admin and opencast_system_account to be in that expression by default.

      Best regards
      Matthias Neugebauer

      ---
      Matthias Neugebauer
      eLectures
      Westfälische Wilhelms-Universität
      Leonardo-Campus 3 - Raum 334
      48149 Münster
      Telefon: +49 251 83-38268
      E-mail: matthias.neugebauer@uni-muenster.de
      Show
      Matthias Neugebauer AttachmentsApr 17 (3 days ago) to security Hi, The LTI documentation currently reads: To give LMS users the same username in Opencast as the LMS username, uncomment the constructor arguments below and update CONSUMERKEY to the same key used above: https://docs.opencast.org/r/5.x/admin/modules/ltimodule/ We use Opencast in this configuration so that the role provider can load additional roles. I have read the LTI authentication code multiple times, but it never occurred to me that Opencast trusts the provided username even for users like admin or opencast_system_account. I know that this a configuration problem, but in my opinion it is quite surprising that the LMS admin could become the Opencast admin through LTI. The attached patch adds an additional String parameter to the LtiLaunchAuthenticationHandler, which contains an RegEx. Usernames that match will be rewritten like in the untrusted LTI configuration. The patch configures admin and opencast_system_account to be in that expression by default. Best regards Matthias Neugebauer --- Matthias Neugebauer eLectures Westfälische Wilhelms-Universität Leonardo-Campus 3 - Raum 334 48149 Münster Telefon: +49 251 83-38268 E-mail: matthias.neugebauer@uni-muenster.de

      TestRail: Results

        Attachments

          Activity

            People

            • Assignee:
              greg_logan Greg Logan
              Reporter:
              mtneug Matthias Neugebauer
            • Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                TestRail: Cases