On this page

All pages




Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

We will follow the above policy and ensure that any security issues are addressed completely and thoroughly.
Where possible we will ensure that security vulnerabilities within third party libraries are fixed at their source, either through upstream fixes or bespoke solutions we develop ourselves.
In the rare situation an issue cannot be fixed at the source we will find solutions for any and all individual uses of the third-party library, and put safeguards in place for any future uses, including in come cases removing functionality from the third party library.

Are some versions of Totara vulnerable due to using older versions of jQuery?

...

What third-party libraries are sometimes raised in security scans and penetration tests?

The libraries listed below may be raised as having known vulnerabilities. The development team has reviewed regularly reviews the product to ensure that the any known vulnerabilities cannot be exploited.

  • jQuery (including related modules such as jquery-ui and jquery-ui-dialog)
  • YUILib
  • Handlebars

Predominantly, vulnerabilities from the above libraries rely upon unsanitised user input being supplied to various jQuery library methods. Any input that would be supplied to the jQuery methods in question such input will have been sanitised by the server. We have also taken the opportunity to cherry-pick fixes from jQuery onto older versions where appropriateAs described in "Support for third-party libraries" above, we will also backport fixes where appropriate to provide a further layer of security.

Miscellaneous


How are security measures tested?

Our partners and subscribers regularly submit our application to security penetration testing. In addition we commission an independent third party security review ourselves every other major release.

Are connected applications required to authenticate each other?

There are many different systems and services that Totara Learn hooks into. By default Totara Learn does not communicate with any systems or services that do not provide public information, therefore there is no need to authenticate.

In situations where Totara Learn is configured to connect to and communicate with external systems and services it will use a means of authentication that is appropriate to that service or system.

Importantly Totara Learn can be configured to publish its own services. When doing so an authentication token is required by Totara Learn in order to authenticate the incoming request.
This token must be known and pre-approved in Totara Learn.

Which comments are there in the HTML markup?

Totara is a large application developed over many years. Whilst HTML comments are rare is it impossible for us to empirically state the nature of any HTML comments that do exist, other than to say that they should relate to specific decision in the user interface and provide only insight into design direction.

What documentation about the application is available?

Our main feature help site is at https://help.totaralearning.com/. Security specific information is on the Security page of our policy documents area.