security problem with mod/scorm/datamodel.php

security problem with mod/scorm/datamodel.php

by Michał Boszke -
Number of replies: 1

Hi.

I have a security problem while doing a scorm course.


After completing the course POST is sent to mod/scorm/datamodel.php. In POST are sent, among others result and status.

I copied cookie (MoodleSession) and POST values along with sesskey to Postman. I replaced POST cmi.core.score.raw with a higher one and sent the request again. The data in the database has been updated. Any user who does a scorm course can update data in the database.


Is there any way of authorization to catch the situation when the user tries to substitute values ​​in the database in this way?

Average of ratings: -
In reply to Michał Boszke

Re: security problem with mod/scorm/datamodel.php

by Dan Marsden -
Picture of Core developers Picture of Particularly helpful Moodlers Picture of Peer reviewers Picture of Plugin developers Picture of Plugins guardians Picture of Testers Picture of Translators

Hi Michał,

Unfortunately this is just how the SCORM standard works and is widely known - there's a good post here that is worth reading:
https://scorm.com/blog/scorm-security-some-perspective/

You should not be using SCORM for anything where the score/completion status needs to be 100% correct (SCORM is also pretty unreliable and sometimes a user can complete the package without that status being passed to Moodle at all.)

If you want something similar to SCORM then it's worth checking out H5P as it's slightly better in the way it handles this, but if you're looking to implement exam style assessments you might want to look at using the Moodle quiz combined with something like safe exam browser.

Average of ratings: Useful (3)