No those things .LRN is pretty well protected against :)
SSL is a webserver setting, not an application setting. And AOLserver, the webserver for .LRN, supports SSL.
.LRN has object-level security, basically for every object in the system you can answer the questions "has user x the permission to do y on object z?". The permissioning model is hierarchical and at times fairly complex, but well-understood.
Another big security plus of .lrn is ad_page_contract, a programming function which makes it quite easy and comfortable to check user input.
As a community, I think both .LRN and OpenACS are quite security-conscious.
Why and more importantly how do you think a good hacker can turn around a .lrn system?
