Dear list members,
a security issue has been identified (big thanks to Nicolas Schäfli) and
fixed for ILIAS versions >= 5.0.
It was possible to upload HTML files as media objects (e.g. in wiki
pages) which could be used to inject JavaScript.
According to the Jour Fixe decision the responsible component maintainer
introduced some changes regarding the handling of HTML files uploaded as
media objects.
Jour Fixe, FEB 13, 2017: "To patch this problem we decided to prohibit
the upload of HTML and the interpretation of HTML in media objects for
5.0 to 5.2."
If *.html files are uploaded they are always renamed to *.sec now
(similar to the handling of executables). The rendering has been
deactivated. Existing *.html files (uploaded before the patch) are not
rendered anymore, but there isn't a concept of deleting/renaming these
files, yet.
Best regards,
Michael Jansen
on behalf of the ILIAS e.V. and the Technical Board
Dear list members,
a security issue has been identified (big thanks to Thomas Hufschmidt)
and fixed for ILIAS version 5.0 and 5.1. For version 5.2.0, the issue
was already fixed at the time it was released.
The vulnerability was located in the QTI import of *-choice questions
with images used as answer options and existed since the initial
implementation of QTI export/import.
We advise strongly to update your ILIAS installation to the latest
version (5.0.19, 5.1.15). For more detailed explanations don't hesitate
to contact me.
Best regards,
Michael Jansen
on behalf of the ILIAS e.V. and the Technical Board
