Over the last 24 months, the general level of security of web applications has considerably improved. With the maturity obtained by the web applications sector came a set of improved methods to detect, report and publish security vulnerabilities.
Dokeos has not been idle in all this. Since the first version of Dokeos 1.8, we have had one major code review made by a French security company, then we have had three consecutive security vulnerabilities reports for Dokeos 1.8.4, for which we have provided security patches and have fixed the vulnerabilities in the recently published Dokeos 1.8.5. One of these reports was about a library we use and include inside the Dokeos code, not directly about Dokeos itself.
This also raised our awareness of Security threats caused by crafted data that we thought we were filtering well enough. This means that we are now coding directly paying attention to every new bit of code, to make sure it is appropriately filtereing the data input.
Amongst the most popular security threats in web applications, we find XSS, CSRF, SQL injection and browsers vulnerabilities.
We deal with XSS by filtering any input that is likely to be output on our campus, and removing any dangerous characters string.
CSRF are dealt with by ensuring every form uses a security token that prevents hacking of the form itself for other purposes.
We deal with SQL injection by filtering any data not coming from the database or from the code itself, and passing it through filters for data types and regular SQL filters.
Finally, we deal with browsers vulnerabilities by filtering input data and removing threatening strings.
I think Dokeos is now a very secure application in terms of hacking. Course content privacy still has some issues though, and we are working on better ways to prevent unauthorized access for the next versions. Don’t get me wrong, we do protect them through the use of Apache settings, but these are not included by default in Dokeos, which means you data is better protected if you go through our hosting services, so far.
Dokeos 1.8.6 has undergone a complete security audit by a skilled bulgarian hacker, who reported more than 100 flaws in the new code. We have fixed all of them in a one-week period before the release of 1.8.6 stable. As such, we can safely say that 1.8.6 is by far the most secure and complete of all the Dokeos versions.
You can find various security reports and security patches information by following the links below
http://www.dokeos.com/wiki/index.php/Security
