Security testing of Open-Source Learning Management Systems - An investigation of ATutor, ILIAS and Moodle
MetadataShow full item record
Learning management systems (LMS) are prevalently used by educational institutions all over the world to support learning within their organization. Security breaches are increasingly an issue nowadays, however, which may threaten the widespread appeal of these systems. A security breach in LMS may involve loss of productivity, or cause damage to an organization s assets or reputation. The aims of this study were to map out important threats for organizations that employ LMS, investigate if they existed in open-source LMS, and to find possible mitigating measures. Accordingly, a risk analysis and penetration tests were performed on instances of ATutor, ILIAS and Moodle. In this study, threats pertaining to input validation, output escaping, impersonation, and theft of user credentials were found to be the principal concern. This notion was substantiated by the vulnerabilities that were found in ATutor, which encompass five cases of cross site scripting (XSS), numerous cross site request forgery (CSRF) instances, and theft of credentials. ILIAS initially had a credential theft vulnerability which was later amended during this study. The presence of XSS and CSRF also facilitate a XSS Worm vulnerability in ATutor, which has the capacity to cause significant damage. Two of the vulnerabilities that were deemed to be most serious was fixed by submitting pull requests to their repository on GitHub, which is scheduled to be included in ATutor s next release (2.2.3). The tests conducted in this study does not provide complete coverage of the applications, although they were based on the common use cases in an LMS. Further research is therefore recommended to make a focused assessment of the security of ATutor.