Copy link to clipboard
Copied
Hello everyone!
We hope that you can support us in the below topic:
Our security team uses Micro Focus Fortify Static Code Analyzer to scan the SCORM files that generated from ADOBE CAPTIVATE to identify security vulnerabilities that pose threats to the organization before it goes to live on the LMS.
It seems the scan results not good to them about some of the code in the scormdriver.js file
Here is an example of the issue:
Security team said: Weak hashing SHA1 cryptography being used and for what data? What is purpose of username and password in training course?
Source file (usernmae:): else if(cfg.hasOwnProperty("username")&&cfg.hasOwnProperty("password")){this.auth="Basic "+TinCan.Utils.getBase64String(cfg.username+":"+cfg.password);}
Source file (usernmae:): 899497514);a=l;l=k;k=j<<30|j>>>2;j=g;g=c}e[0]=e[0]+g|0;e[1]=e[1]+j|0;e[2]=e[2]+k|0;e[3]=e[3]+l|0;e[4]=e[4]+a|0},_doFinalize:function(){var i=this._data,h=i.words,e=8*this._nDataBytes,g=8*i.sigBytes;h[g>>>5]|=128<<24-g%32;h[(g+64>>>9<<4)+15]=e;i.sigBytes=4*h.length;this._process()}});i.SHA1=m._createHelper(n);i.HmacSHA1=m._createHmacHelper(n)})();(function(){var C=CryptoJS;var C_lib=C.lib;var WordArray=C_lib.WordArray;var C_enc=C.enc;var Base64=C_enc.Base64={stringify:function(wordArray){var words=wordArray.words;var sigBytes=wordArray.sigBytes;var map=this._map;wordArray.clamp();var base64Chars=[];for(var i=0;i<sigBytes;i+=3){var byte1=(words[i>>>2]>>>(24-(i%4)*8))&0xff;var byte2=(words[(i+1)>>>2]>>>(24-((i+1)%4)*8))&0xff;var byte3=(words[(i+2)>>>2]>>>(24-((i+2)%4)*8))&0xff;var triplet=(byte1<<16)|(byte2<<8)|byte3;for(var j=0;(j<4)&&(i+j*0.75<sigBytes);j++){base64Chars.push(map.charAt((triplet>>>(6*(3-j)))&0x3f));}}
Do I even we need this SHA1? and username and password? if we dont want to use any kind of user authincations to report to LMS?
If we need it, does anyone know of to fix it to better hashing or disbale it?
Thanks in advance
Copy link to clipboard
Copied
Hi,
So from what I gathered it seems that an LMS that is accessed via web server to complete a course via long distance learning, a user authentication is needed when you want the progress of the learned content to be uniquely identified with a user and to be able to perform skill gap analysis, among many other things. Not using authentication may also duplicate a single user name to the same content when it is accessed by different users without regards of who actually completed an online course.
More specifically , it seems to be necessary when a user completes a lesson and there is any type of attachments involved, like a certificate of completion, for example, which will also uniquely identify a user of the LMS with a unique digital certificate associating its name and email address to a Certificate Authority, or HTML authentication, or common access card authentication.
According to scorm.com these are the only three authentication methods that will be handled as the content is accessed via web browser (but don't fully quote me on this as I may be entirely wrong).
The SHA1 algoritm associated in this handshaking process has been phased out, so it is actually a good thing that your security scan was able to identify this weakness.
See here:
You may also want to check if instead of using LMS should move to an LRS and verify that the Tin CAN API shown above in your scormdriver.js file is actually conforming to the latest supported standards of the SCORM driver and engine.
Your developing team will probably have to do a lot of reading here for LRS endpoints and authentication credentials and SSL implementation in addition to the SHA2:
https://support.scorm.com/hc/en-us/articles/360013261454?mobile_site=true
or seek additional support with the rusticisoftware website.
See more here:
https://scorm.com/wp-content/assets/Engine-Docs/TinCanIntegration.html
https://xapi.com/blog/deep-dive-attachments/
https://xapi.com/tech-overview/
As this is not my area, I hope that the information provided here can assist you with more insights allowing your team to find a solution.