Last updated on NOVEMBER 29, 2016
Applies to:PeopleSoft Enterprise ELM Enterprise Learning Management - Version 9.1 and later
Information in this document applies to any platform.
ELM 9.2 Content URL Security Issue.
A user from going to the web server that the content is on and opening up a browser and pointing to the content without going through the ELM system.
A content is on a web server xyz and the content is in a folder called content/AICC/123.
When a SCORM content is launched, a new window is opened and the URL to launch the course is displayed in the address bar.
There is no ID and password asked when such a URL is used. There is not a way to control someone going to http://xyz/content/AICC/123/.html and launch the content.
If the content on a client web server is not protected with a firewall or intranet security, it is possible that a user can gain access to the SCORM class outside of PIA.
Expected to have a content authentication by login as PeopleSoft user to launch the content.
The issue can be reproduced at will with the following steps:
- Click on URL
- Course will begin bypassing PeopleSoft ELM sign on page.
Due to this issue, this causes security concerns for company because it will allow non employees to access proprietary information.
Sign In with your My Oracle Support account
Don't have a My Oracle Support account? Click to get started
Million Knowledge Articles and hundreds of Community platforms