+ Post New Thread
Results 1 to 8 of 8
Educational Software Thread, SuccessMaker opens security holes for vandalism and viruses in Technical; Put simply, SuccessMaker creates a half-dozen folders in the root, then sets absurd access permissions on them. Rather than giving ...
  1. #1

    Join Date
    Jul 2011
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    Question SuccessMaker opens security holes for vandalism and viruses

    Put simply, SuccessMaker creates a half-dozen folders in the root, then sets absurd access permissions on them.

    Rather than giving users readonly access to program directories (where EXE and DLL files live) and modify access to data folders, they grant FULL CONTROL rights to all 6 folders for all users.

    Say what? How often do you suppose students running SM need to change the owner of the files in these folders? Or set the file access permissions? What were they thinking setting Full Control?

    Let's look at some of the opportunities for mischief this creates:

    1) Any user (even students!) can simply DELETE these folders and everything in them. This makes the computer unusable until the IT department can re-install the SM software, whereupon they can simply delete it again.
    2) Whatever data SM stores in the Student or Teacher folders is subject to being read (or changed) by any user on the computer.
    3) Any viruses accidentally downloaded by users can store themselves in these folders. They can even attach themselves to the executable files there and spread to every user that runs SuccessMaker.
    4) Malicious users with somewhat more advanced knowledge could even produce programs with login screens that emulate SM in order to grab credentials, then replace the normal programs with their own.

    And that's just off the top of my head.

    In an education environment, not all the people using the computers are angels. While you can *hope* that they won't choose to do anything inappropriate (or simply don't know how), the better plan is to take prudent steps to secure the computers. This philosophy helps protect you from both the accidentally careless users, as well as the deliberately malicious ones.

    I have spoken to SM, but while they understood my concerns and were polite, they had no solutions to offer.

    I'm hoping that someone else has already worked through this and has an answer here. Please tell me I'm not the only person who sees this as a serious security hole! If you have any information here, please share.

    Even if you don't have a solution, I'd still like to hear from you if you consider this to be a problem. If SM doesn't have a fix, I have ideas of my own about how to correct this. But I could use some help from people who are more familiar with SM than I am.

    Thanks.

  2. #2

    Join Date
    Mar 2011
    Location
    Bournemouth
    Posts
    280
    Thank Post
    16
    Thanked 74 Times in 64 Posts
    Rep Power
    21
    Enabling full control on folders, shares etc seems to be the default position of most software venders I have come across, including everything from random software like successmaker to huge systems like sims. It drives me nuts, its just down to ignorance of how permissions actually work and sheer lazyness. It's the main reason why I refuse to ever let engineers install anything on my servers.

    As for a solution to successmaker, what I did was move the folders from the root to a successmaker folder in program files, add hidden symbolic directory links in place of the root folders and reset the permissions myself to something less insecure.

  3. #3

    Join Date
    Jul 2011
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hey Chris, thanks for the response.

    Do you have a list of the permissions that you ended up using?

  4. #4

    Join Date
    Mar 2011
    Location
    Bournemouth
    Posts
    280
    Thank Post
    16
    Thanked 74 Times in 64 Posts
    Rep Power
    21
    Quote Originally Posted by snarfle View Post
    Hey Chris, thanks for the response.

    Do you have a list of the permissions that you ended up using?
    I just reset the folders to inherit the default permissions from the Program Files folder, but you can, if you want, set individual permissions to the student & teacher folders using your domain groups.

  5. #5

    Join Date
    Jul 2011
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Really? Now that's interesting.

    The SM folks seemed quite sure that temporary files got created in some of these folders. Although they couldn't say which ones...

  6. #6

    Join Date
    Mar 2011
    Location
    Bournemouth
    Posts
    280
    Thank Post
    16
    Thanked 74 Times in 64 Posts
    Rep Power
    21
    Quote Originally Posted by snarfle View Post
    Really? Now that's interesting.

    The SM folks seemed quite sure that temporary files got created in some of these folders. Although they couldn't say which ones...
    What version do you have? Ours is fairly old network licensing version, perhaps there are some differences. Can't hurt to try though can it?

  7. #7

    Join Date
    Jul 2011
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    We're running SuccessMaker Enterprise v1.7.2.

    As for "can't hurt to try," that's true if the problem shows up right away. However I'd hate to have SM grind to a halt abruptly a week or two later when some specific feature area gets accessed.

    In fact, this thread (SuccessMaker Issue) seems to relate to problems that get fixed by granting greater permissions.

  8. #8

    Join Date
    Jul 2011
    Posts
    5
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I am still looking for some admins that are familiar with SM who can help me sort this out. I know finding people during the summer is going to be a challenge, but clearly this is the best time to be experimenting with this.

    So, I have starting looking thru the local directories. There are 176 of them. So far, I've found 2 of them that look like they need write access, and 73 that should probably be read only.

SHARE:
+ Post New Thread

Similar Threads

  1. Patch Tuesday security warning, viruses will follow
    By maestromasada in forum Windows
    Replies: 0
    Last Post: 6th February 2011, 02:03 PM
  2. Apple iCal security holes left wide open
    By webman in forum IT News
    Replies: 0
    Last Post: 23rd May 2008, 08:44 AM
  3. Please pay for our security holes.
    By Dos_Box in forum IT News
    Replies: 2
    Last Post: 1st June 2006, 03:19 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •