Highlighted

scormdriver.js file that exported from CAPTIVATE failed to pass the security check due SHA1

New Here ,
Dec 21, 2019

Copy link to clipboard

Copied

Hello everyone!

 

We hope that you can support us in the below topic:

 

Our security team uses Micro Focus Fortify Static Code Analyzer to scan the SCORM files that generated from ADOBE CAPTIVATE to identify security vulnerabilities that pose threats to the organization before it goes to live on the LMS. 

 

It seems the scan results not good to them about some of the code in the scormdriver.js file

 

Here is an example of the issue:

Security team said: Weak hashing SHA1 cryptography being used and for what data? What is purpose of username and password in training course?

Source file (usernmae:): else if(cfg.hasOwnProperty("username")&&cfg.hasOwnProperty("password")){this.auth="Basic "+TinCan.Utils.getBase64String(cfg.username+":"+cfg.password);}

Source file (usernmae:): 899497514);a=l;l=k;k=j<<30|j>>>2;j=g;g=c}e[0]=e[0]+g|0;e[1]=e[1]+j|0;e[2]=e[2]+k|0;e[3]=e[3]+l|0;e[4]=e[4]+a|0},_doFinalize:function(){var i=this._data,h=i.words,e=8*this._nDataBytes,g=8*i.sigBytes;h[g>>>5]|=128<<24-g%32;h[(g+64>>>9<<4)+15]=e;i.sigBytes=4*h.length;this._process()}});i.SHA1=m._createHelper(n);i.HmacSHA1=m._createHmacHelper(n)})();(function(){var C=CryptoJS;var C_lib=C.lib;var WordArray=C_lib.WordArray;var C_enc=C.enc;var Base64=C_enc.Base64={stringify:function(wordArray){var words=wordArray.words;var sigBytes=wordArray.sigBytes;var map=this._map;wordArray.clamp();var base64Chars=[];for(var i=0;i<sigBytes;i+=3){var byte1=(words[i>>>2]>>>(24-(i%4)*8))&0xff;var byte2=(words[(i+1)>>>2]>>>(24-((i+1)%4)*8))&0xff;var byte3=(words[(i+2)>>>2]>>>(24-((i+2)%4)*8))&0xff;var triplet=(byte1<<16)|(byte2<<8)|byte3;for(var j=0;(j<4)&&(i+j*0.75<sigBytes);j++){base64Chars.push(map.charAt((triplet>>>(6*(3-j)))&0x3f));}}

 

Do I even we need this SHA1? and username and password?  if we dont want to use any kind of user authincations to report to LMS?

 

If we need it, does anyone know of to fix it to better hashing or disbale it?

 

Thanks in advance 

TOPICS
Import export

Views

108

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

scormdriver.js file that exported from CAPTIVATE failed to pass the security check due SHA1

New Here ,
Dec 21, 2019

Copy link to clipboard

Copied

Hello everyone!

 

We hope that you can support us in the below topic:

 

Our security team uses Micro Focus Fortify Static Code Analyzer to scan the SCORM files that generated from ADOBE CAPTIVATE to identify security vulnerabilities that pose threats to the organization before it goes to live on the LMS. 

 

It seems the scan results not good to them about some of the code in the scormdriver.js file

 

Here is an example of the issue:

Security team said: Weak hashing SHA1 cryptography being used and for what data? What is purpose of username and password in training course?

Source file (usernmae:): else if(cfg.hasOwnProperty("username")&&cfg.hasOwnProperty("password")){this.auth="Basic "+TinCan.Utils.getBase64String(cfg.username+":"+cfg.password);}

Source file (usernmae:): 899497514);a=l;l=k;k=j<<30|j>>>2;j=g;g=c}e[0]=e[0]+g|0;e[1]=e[1]+j|0;e[2]=e[2]+k|0;e[3]=e[3]+l|0;e[4]=e[4]+a|0},_doFinalize:function(){var i=this._data,h=i.words,e=8*this._nDataBytes,g=8*i.sigBytes;h[g>>>5]|=128<<24-g%32;h[(g+64>>>9<<4)+15]=e;i.sigBytes=4*h.length;this._process()}});i.SHA1=m._createHelper(n);i.HmacSHA1=m._createHmacHelper(n)})();(function(){var C=CryptoJS;var C_lib=C.lib;var WordArray=C_lib.WordArray;var C_enc=C.enc;var Base64=C_enc.Base64={stringify:function(wordArray){var words=wordArray.words;var sigBytes=wordArray.sigBytes;var map=this._map;wordArray.clamp();var base64Chars=[];for(var i=0;i<sigBytes;i+=3){var byte1=(words[i>>>2]>>>(24-(i%4)*8))&0xff;var byte2=(words[(i+1)>>>2]>>>(24-((i+1)%4)*8))&0xff;var byte3=(words[(i+2)>>>2]>>>(24-((i+2)%4)*8))&0xff;var triplet=(byte1<<16)|(byte2<<8)|byte3;for(var j=0;(j<4)&&(i+j*0.75<sigBytes);j++){base64Chars.push(map.charAt((triplet>>>(6*(3-j)))&0x3f));}}

 

Do I even we need this SHA1? and username and password?  if we dont want to use any kind of user authincations to report to LMS?

 

If we need it, does anyone know of to fix it to better hashing or disbale it?

 

Thanks in advance 

TOPICS
Import export

Views

109

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Dec 21, 2019 0
ls_rbls LATEST
Adobe Community Professional ,
Dec 22, 2019

Copy link to clipboard

Copied

Hi,

 

So from what I gathered it seems that an LMS that is accessed via web server to complete a course via long distance learning,  a user authentication is needed when you want the progress of the learned content to be uniquely identified with a user and to be able to perform skill gap analysis, among many other things. Not using authentication may also duplicate a single user name to the same content when it is accessed by different users without regards of who actually completed an online course.

 

More specifically , it seems to be necessary when a user completes a lesson and there is any type of attachments involved, like a certificate of completion, for example, which will also uniquely identify a user of the LMS with a unique digital certificate associating its name and email address to a Certificate Authority, or HTML authentication, or common access card authentication.

 

According to scorm.com these are the  only three authentication methods that will be handled as the content is accessed via web browser (but don't fully quote me on this as I may be entirely wrong).

 

The SHA1 algoritm associated in this handshaking process has been phased out, so it is actually a good thing that your security scan was able to identify this weakness.

 

See here:

https://www.google.com/amp/s/www.csoonline.com/article/2879073/all-you-need-to-know-about-the-move-f... 

 

You may also want to check if instead of using LMS should move to an LRS and verify that the Tin CAN API  shown above in your scormdriver.js file is actually conforming to the latest supported standards of the SCORM driver and engine.

 

Your developing team will probably have to do a lot of reading here for LRS endpoints and authentication credentials and SSL implementation in addition to the SHA2:

 

https://support.scorm.com/hc/en-us/articles/360013261454?mobile_site=true 

 

or seek additional support with the rusticisoftware website.

 

See more here:

 

https://scorm.com/wp-content/assets/Engine-Docs/TinCanIntegration.html 

 

https://xapi.com/blog/deep-dive-attachments/ 

 

https://xapi.com/cmi5/ 

 

https://xapi.com/tech-overview/ 

 

As this is not my area, I hope that the information provided here can assist you with more insights allowing your team to find a solution.

 

 

 

 

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Dec 22, 2019 0