- ilias-admins - lists.ilias.de

by Michael Jansen

Dear list members, a security issue has been identified (thanks to chbi from https://chbi.eu/) in the media object component and fixed for ILIAS version 5.1, 5.2 and 5.3beta. We advise strongly to update your ILIAS installation to the latest version. For more detailed explanations don't hesitate to contact us. Best regards, Michael Jansen on behalf of the ILIAS e.V. and the Technical Board

7 years, 9 months

1
0
0 0

ILIAS 5.2.9 published

by Anton Arsenij

7 years, 9 months

1
0
0 0

ILIAS 5.1.21 published

by Anton Arsenij

7 years, 9 months

1
0
0 0

Setup Maintainership and Revision

by Richard Klees

Dear ILIAS-Admins, in JourFixe-2017-09-25 [1] Alex Killing declared to step down from the maintainership of the Setup and Matthias Kunkel called for applicants for that vacancy. I am indeed interested to take over the maintainership and the CaT Concepts and Training GmbH is willing to make investments in the setup. Since I have some opinions about the general direction the setup should take and I'm not willing to just continue with the current model or blindly accept payment for any feature in the setup, I want to check my ideas with the community first before finally applying for maintainership. I created a featurewiki page [2] containing my ideas. Please leave comments and questions in the discussion section of this page as usual. [1] https://www.ilias.de/docu/goto_docu_wiki_wpage_4835_1357.html [2] https://www.ilias.de/docu/goto_docu_wiki_wpage_4900_1357.html Best Regards! -- Richard Klees Lead Developer Qualifizierungsmanagement --------------------------------------------- CaT Concepts and Training GmbH Vorgebirgstraße 338 50969 Köln Fon: +49 (0)221 / 46 75 76 - 56 Fax: +49 (0)221 / 46 75 76 - 09 Mail: richard.klees(a)concepts-and-training.de Web: http://www.concepts-and-training.de --------------------------------------------- Geschäftsführung: Sven Kapust, Gerald Konrad, Alexandra Oehlke, Sandra Röbbelen, Volker Röbbelen, Denis Witt Amtsgericht Köln HRB 57804 Ust-ID-Nr.: DE 814694228 Sitz: Köln ---------------------------------------------

7 years, 9 months

1
0
0 0

ILIAS 5.2.8 published

by Anton Arsenij

7 years, 10 months

1
0
0 0

ILIAS 5.1.20 published

by Anton Arsenij

7 years, 10 months

1
0
0 0

ILIAS 5.2.x Security Issues: Receive all emails to specific local role

by Michael Jansen

Dear list members, a security issue has been identified (thanks to Timon Amstutz [Uni Bern and ILIAS Technical Board]) and is fixed for ILIAS 5.2.x. The issue was located in the 'Mail System' and affected the recipient string parsing. This led to a situation where an attacker in a group named 'admin' received every email that was addressed to any assumed distinct local role having 'admin' in its name (e.g. "Course Administrator <#admin@[NameOfAnArbitraryCourse]>"). We advise strongly to update your ILIAS installation to the latest version 5.2.7 . Best regards, Michael Jansen on behalf of the ILIAS e.V. and the Technical Board

7 years, 10 months

1
0
0 0

ILIAS 5.2.7 published

by Anton Arsenij

7 years, 11 months

1
0
0 0

Re: [ilAdmins] [dev] ILIAS 5.2.x: XML issues with PHP 5.6.x

by Michael Jansen

Hi Ralf, Am 16.08.2017 um 15:59 schrieb Ralf Mattes: > Am Mittwoch, 16. August 2017 15:13 CEST, Michael Jansen <mjansen(a)databay.de> schrieb: > >> Dear developers and administrators, >> >> the following information may save you some time as it took me a while to figure it out: >> >> Today I noticed some strange issues regarding XML handling in ILIAS with (v5.2.6 2017-07-13, PHP 5.6.31-4+ubuntu16.04.1+deb.sury.org+4). Initially, I discovered a problem in one of my plugins which deals with XML that uses simplexml_load_file() with a local(!) file. >> >> The error message I got from it was: >> >> simplexml_load_file(): I/O warning : failed to load external entity "[MY_FILE]" > > Hmm - you should have posted to this list earlier, that one is a really good ol' friend of mine ... > >> <...> >> >> When I added ... >> >> libxml_disable_entity_loader(false); >> >> ... in my plugin before using simplexml_load_file() and before the ILIAS SOAP server is instantiated >> in ./webservice/soap/server.php, the issue seems to be fixed for both cases. >> >> libxml_disable_entity_loader() is not thread safe, so this is the root of all evil (including but not >> limited to pineapple on pizza). > To be technically correct, what's bitting you here isn't thread safety (I assume you are not running in > a multi-threaded server environment) but global state. As (almost) always, global state is unfortunate. "thread safe" was not the technically correct term. I noticed this after I pushed the "Send" button in my email client ;-). I just meant: It persists and could be caused by another process. > >> If ... >> >> libxml_disable_entity_loader(true); >> ... is called in another script (or another PHP application) and not resetted to false, the problematic state persists globally. There are even some calls of with a boolean true in ILIAS (PHPExcel, SVG Sanitizer), which is dangerous in case an error occured and the state could not be properly resetted to a boolean false. > Yes, that's exactly why global state is so dangerous even in single threaded environments. But, since external entity loading > is known as a hard to control entry point for vulnerabilities it actually is a good idea to disable it. Yes, global state is often evil. Especially, when it is mutated by other libraries/dependencies or even other processes. > > BTW, do you now see why I'm so scared by other global state manipulations (umask, for example)? > > Cheers, Ralf Mattes > > Best regards, Michael

7 years, 11 months

1
0
0 0

ILIAS 5.2.x: XML issues with PHP 5.6.x

by Michael Jansen

Dear developers and administrators, the following information may save you some time as it took me a while to figure it out: Today I noticed some strange issues regarding XML handling in ILIAS with (v5.2.6 2017-07-13, PHP 5.6.31-4+ubuntu16.04.1+deb.sury.org+4). Initially, I discovered a problem in one of my plugins which deals with XML that uses simplexml_load_file() with a local(!) file. The error message I got from it was: simplexml_load_file(): I/O warning : failed to load external entity "[MY_FILE]" I checked everything twice, the 'cwd', the include path, PHP ini settings ... Surprisingly (for me), I was able to read the contents of the XML file one line before I called simplexml_load_file(). Passing the XML string to simplexml_load_string() worked fine. The error occured randomly (I initially thought), so I really had no idea what could cause that. Then our administrators reported issues when copying/cloning courses via SOAP in customer installations. I exported and imported the course in question as XML into my local installation (which worked fine) and tried to copy the course to reproduce the reported issue afterwards. It worked perfectly with PHP 7.0, but failed with PHP 5.6. The error log contained the same I/O warning mentioned above. When I added ... libxml_disable_entity_loader(false); ... in my plugin before using simplexml_load_file() and before the ILIAS SOAP server is instantiated in ./webservice/soap/server.php, the issue seems to be fixed for both cases. libxml_disable_entity_loader() is not thread safe, so this is the root of all evil (including but not limited to pineapple on pizza). If ... libxml_disable_entity_loader(true); ... is called in another script (or another PHP application) and not resetted to false, the problematic state persists globally. There are even some calls of with a boolean true in ILIAS (PHPExcel, SVG Sanitizer), which is dangerous in case an error occured and the state could not be properly resetted to a boolean false. Best regards, Michael

7 years, 11 months

1
0
0 0

ILIAS 5.1.19 published

by Anton Arsenij

8 years

1
0
0 0

ILIAS 5.0.23 published

by Anton Arsenij

8 years

1
0
0 0

Note about this ML

by Richard Klees

Dear ILIAS-Admins and all other interested readers of this mailing list, please note that this mailing list is moderated from now on, i.e. you won't be able to post content at will on this list. We, the Technical Board of the ILIAS Society, want to establish clear and reliable communication channels with and within our community. This mailing list is intended for the following audience and content [1]: Mailing list for people doing ILIAS server administration. By joining you will get: * announcements of new ILIAS releases * announcements of security issues * announcements from SIGs that target admins (SIG Performance,...) If you want to publish content that fits this description, feel free to post it to the list and we will be happy to approve it. For discussions with your fellow admins, please use the according forum on ilias.de [2]. [1] http://lists.ilias.de/cgi-bin/mailman/listinfo/ilias-admins [2] https://www.ilias.de/docu/goto_docu_frm_1875.html Best regards! -- Richard Klees on behalf of the Technical Board of the ILIAS Society and also Lead Developer Qualifizierungsmanagement --------------------------------------------- CaT Concepts and Training GmbH Vorgebirgstraße 338 50969 Köln Fon: +49 (0)221 / 46 75 76 - 56 Fax: +49 (0)221 / 46 75 76 - 09 Mail: richard.klees(a)concepts-and-training.de Web: http://www.concepts-and-training.de --------------------------------------------- Geschäftsführung: Sven Kapust, Gerald Konrad, Alexandra Oehlke, Sandra Röbbelen, Volker Röbbelen, Denis Witt Amtsgericht Köln HRB 57804 Ust-ID-Nr.: DE 814694228 Sitz: Köln ---------------------------------------------

8 years

1
0
0 0

ILIAS 5.2.6 published

by Anton Arsenij

8 years

4
4
0 0

Sicherheitslücke bekannt ?

by Ralf Schenk

Hallo zusammen, ich finde in den Release-Notes zu 5.2.5 keinerlei Angaben hierzu, wem ist da etwas bekannt ? Ist das auch in 5.1.x gefixt ? Michael hat gerade Urlaub. Ist das kritisch? -----Ursprüngliche Nachricht----- Von: CERT-Bund [mailto:certbund@bsi.bund.de] Gesendet: Donnerstag, 22. Juni 2017 08:17 An: ILIAS Cc: IT-SiBe Betreff: Fwd: [CERT-Bund#2017061828000462] XSS-Schwachstelle auf der Lernplattform HS-Bund Sehr geehrte Damen und Herren, wir wurden darüber informiert, dass die Lernplattform der HS-Köln aufgrund einer nicht aktuellen ILIAS-Installation verwundbar für eine XSS-Schwachstelle ist. Website: https://lernplattform.bund.de/ Location: /setup/setup.php?cmd={inject-here}&lang=de Payload: "><script>alert(1)</script> Vulnerability: XSS Reflected Versionen von ILIAS < 5.2.5 sind dafür verwundbar. In der aktuellsten Version ist die Schwachstelle behoben. Wir empfehlen daher, die ILIAS-Installation auf den neusten Stand zu heben. Mit freundlichen Grüßen das Team CERT-Bund Im Auftrag Dr. Timo Steffens -- Bundesamt für Sicherheit in der Informationstechnik (BSI) Referat CK22 - CERT-Bund Godesberger Allee 185-189 D-53175 Bonn Telefon: +49 (0)228 99 9582 5110 Telefax: +49 (0)228 99 9582 7025 Web: https://www.bsi.bund.de/CERT-Bund/ PGP & S/MIME: https://www.bsi.bund.de/DE/Themen/Cyber-Sicherheit/Aktivitaeten/CERT-Bund/K… -- *Ralf Schenk* fon +49 (0) 24 05 / 40 83 70 fax +49 (0) 24 05 / 40 83 759 mail *rs(a)databay.de* <mailto:rs@databay.de> *Databay AG* Jens-Otto-Krag-Straße 11 D-52146 Würselen *www.databay.de* <http://www.databay.de> Sitz/Amtsgericht Aachen • HRB:8437 • USt-IdNr.: DE 210844202 Vorstand: Ralf Schenk, Dipl.-Ing. Jens Conze, Aresch Yavari, Dipl.-Kfm. Philipp Hermanns Aufsichtsratsvorsitzender: Wilhelm Dohmen ------------------------------------------------------------------------

8 years

3
2
0 0

ILIAS 5.2.5 published

by Anton Arsenij

8 years, 1 month

1
0
0 0

New URL to MathJax server

by Matthias Kunkel

Dear ILIAS admins and members of this mailing list, This mail is only relevant for you if you have activated Mathjax support in ILIAS to render LaTeX (for mathematical expressions). The default Mathjax server mentioned in the Mathjax administration of ILIAS has been shut down recently. If you use this URL to render LaTeX in the browser, this won’t work any more. There is a new default Mathjax server available at https://cdnjs.cloudflare.com <https://cdnjs.cloudflare.com/>. To use this server, please enter the following string to the input ‚URL to Mathjax‘ at Administration » Third-Party-Software » Settings » Mathjax : https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-… For more information about LaTeX support in ILIAS, please join the SIG Mathe+ILIAS : http://www.ilias.de/docu/goto_docu_grp_5183.html Kind regards, Matthias * * * * * Matthias Kunkel ILIAS Product Manager General Manager ILIAS open source e-Learning e.V. Office: Ebertplatz 14-16 • D-50668 Koeln www.ilias.de <http://www.ilias.de/> verein(a)ilias.de <mailto:verein@ilias.de> * * * * *

8 years, 1 month

1
0
0 0

Survey concerning Usage of ilias.de SVN-Server

by Fabian Schmid

Dear ILIAS-Administrators Two years ago the versioning of the ILIAS-Source-Code has been moved from Subversion (SVN) to Git. To make the migration for all Installations as smooth as possible, a synchronization from Github to the SVN-Server has been established which synced all the maintained versions of ILIAS (4.3, 4.4, 5.0) back to the SVN-Server. Besides those Release-Branches many Custom-Branches has been used on the SVN-Server. There are two services which will be obsolete at some point: - the synchronization from Github to SVN - the SVN-Server itself We kindly ask you to participate the following survey: http://www.ilias.de/docu/goto_docu_svy_5157.html We than are able to decide upon the shutdown-dates of the services mentioned above. Thank you very much! Best regards Fabian -- Fabian Schmid Member of the Executive Board Head of Software Development studer + raimann ag IT- and Learning-Solutions Farbweg 9 3400 Burgdorf main +41 31 972 52 22 support +41 31 972 52 30 direct +41 31 972 52 27 fs(a)studer-raimann.ch studer-raimann.ch -- offene Stellen bei der studer + raimann ag https://studer-raimann.ch/ueber-uns/news/offene-stellen/ Wanna know more? Contact us directly or find information online: Corporate Website studer-raimann.ch | Product Website ilias.ch Facebook <https://www.facebook.com/studer.raimann> | XING <https://www.xing.com/companies/studer+raimannag> | LinkedIn <https://www.linkedin.com/company/studer-raimann-ag>

8 years, 1 month

1
0
0 0

ILIAS 5.1.18 published

by Anton Arsenij

8 years, 2 months

1
0
0 0

ILIAS 5.0.22 published

by Anton Arsenij

8 years, 2 months

1
0
0 0

Drop PHP 5 Support

by Richard Klees

Dear ILIAS admins, the Jour Fixe of the ILIAS Society discussed the question how to proceed with the supported PHP versions on the last meeting [1]. To finally take the decision on the next meeting on 22.05 we need your feedback on the issue: Is there anyone who is in severe trouble if we would drop the support for PHP 5 completely with the subsequent release of ILIAS (i.e. ILIAS 5.4)? Do you see any problems if ILIAS 5.4, that will be released somewhere around end of 2018, only supports PHP > 7? Please use the wiki page [1] to voice your opinion. If we do not get any feedback we will decide to drop support for PHP 5 completely with the subsequent ILIAS release. [1] http://www.ilias.de/docu/goto_docu_wiki_wpage_4770_1357.html [2] http://php.net/releases/7_1_0.php Best regards! -- Richard Klees on behalf of the Technical Board of the ILIAS Society and also Lead Developer Qualifizierungsmanagement --------------------------------------------- CaT Concepts and Training GmbH Vorgebirgstraße 338 50969 Köln Fon: +49 (0)221 / 46 75 76 - 56 Fax: +49 (0)221 / 46 75 76 - 09 Mail: richard.klees(a)concepts-and-training.de Web: http://www.concepts-and-training.de --------------------------------------------- Geschäftsführung: Sven Kapust, Gerald Konrad, Alexandra Oehlke, Sandra Röbbelen, Volker Röbbelen, Denis Witt Amtsgericht Köln HRB 57804 Ust-ID-Nr.: DE 814694228 Sitz: Köln ---------------------------------------------

8 years, 2 months

1
0
0 0

ILIAS 5.2.4 published

by Anton Arsenij

8 years, 2 months

1
0
0 0

Recommended Version of ImageMagick

by Michael Jansen

Dear list members, we decided to change the (minimum) recommended version of 'ImageMagick' to 6.8.9-9 (http://www.ilias.de/docu/goto_docu_pg_75024_367.html#imagemagick). We noticed some issues with older versions which resulted in artifacts when drawing geometric figures (e.g., see: http://www.ilias.de/mantis/view.php?id=19064). Best regards, Michael Jansen on behalf of the ILIAS e.V. and the Technical Board

8 years, 2 months

1
0
0 0

ILIAS Security Issue: SVG Files Uploaded as Media Objects

by Michael Jansen

Dear list members, again a media object related security issue has been identified and fixed for ILIAS versions >= 5.0. A big "Thank you" goes to researcher Julian Rittweger for reporting this issue. It was possible to upload SVG files as media objects (e.g. in wiki pages) which could be used to inject and execute JavaScript (persistent XSS). With the latest fix of the responsible code maintainer, SVG files will be sanitized when uploaded to ILIAS. We advise strongly to update your ILIAS installation to the latest version. Best regards, Michael Jansen on behalf of the ILIAS e.V. and the Technical Board

8 years, 3 months

1
0
0 0

ILIAS 5.1.17 published

by Anton Arsenij

8 years, 3 months

1
0
0 0

ILIAS 5.0.21 published

by Anton Arsenij

8 years, 3 months

1
0
0 0

ILIAS 5.2.3 published

by Anton Arsenij

8 years, 3 months

1
0
0 0

ILIAS Security Issues: Self Registration and Course/File Import

by Michael Jansen

Dear list members, several security issues have been identified (thanks to Nicolas Schäfli [studer + raimann ag] and Johannes [KIT]) and fixed for ILIAS version 5.0, 5.1 and 5.2. The first weakness was located in the code validation part of the self registration. The second type of vulnerability affected the XML import of course and file objects. It was possible to copy arbitrary files into the media object directory (course import), and to copy a source file to an arbitrary location on the file system (file import). We advise strongly to update your ILIAS installation to the latest version. For more detailed explanations don't hesitate to contact us. Best regards, Michael Jansen on behalf of the ILIAS e.V. and the Technical Board

8 years, 4 months

1
0
0 0

ILIAS 5.1.16 published

by Anton Arsenij

8 years, 4 months

1
0
0 0

ILIAS 5.2.2 published

by Anton Arsenij

8 years, 4 months

1
0
0 0

ILIAS 5.0.20 published

by Anton Arsenij

8 years, 4 months

1
0
0 0

ILIAS 5.2.1 published

by Anton Arsenij

8 years, 4 months

1
0
0 0

ILIAS Security Issue: Follow Up Media Objects

by Michael Jansen

Dear list members, because of the feedback the Technical Board received after our last email regarding the changed behavior of media objects, we had a new and fruitful discussion on the matter. As an immediate/intermediate solution, it is now possible do define a black list of file extensions in the administration of media objects. Files of type 'html' are forbidden by default now. You would be required to change this setting in case HTML files are important for your scenarios. If you still plan to allow HTML files and are afraid of the security issue: * It should NOT be possible to steal the user's session cookie because session cookies in ILIAS are marked as 'httponly' and cannot be accessed by JavaScript code located in the uploaded HTML files (media objects). * Nevertheless the user's session cookie will STILL be sent in case a malicious script requests (e.g. via AJAX/XmlHttpRequest) ILIAS server-side scripts, so these requests are sent in the context of the user to whom the media object is presented. As a medium-term solution, the Technical Board highly appreciates and supports the introduction of methods like 'Subdomain Isolation' (presented by Pascal Grube last year) which ensures both: The possibility to upload HTML/JavaScript files and a certain level of security. We will get in contact with stakeholders interested in funding and further pushing the implementation of this. Best regards, Michael Jansen on behalf of the ILIAS e.V. and the Technical Board

8 years, 4 months

1
0
0 0

ILIAS Security Issue: Media objects

by Michael Jansen

Dear list members, a security issue has been identified (big thanks to Nicolas Schäfli) and fixed for ILIAS versions >= 5.0. It was possible to upload HTML files as media objects (e.g. in wiki pages) which could be used to inject JavaScript. According to the Jour Fixe decision the responsible component maintainer introduced some changes regarding the handling of HTML files uploaded as media objects. Jour Fixe, FEB 13, 2017: "To patch this problem we decided to prohibit the upload of HTML and the interpretation of HTML in media objects for 5.0 to 5.2." If *.html files are uploaded they are always renamed to *.sec now (similar to the handling of executables). The rendering has been deactivated. Existing *.html files (uploaded before the patch) are not rendered anymore, but there isn't a concept of deleting/renaming these files, yet. Best regards, Michael Jansen on behalf of the ILIAS e.V. and the Technical Board

8 years, 4 months

1
0
0 0

ILIAS Security Issue: QTI Import

by Michael Jansen

Dear list members, a security issue has been identified (big thanks to Thomas Hufschmidt) and fixed for ILIAS version 5.0 and 5.1. For version 5.2.0, the issue was already fixed at the time it was released. The vulnerability was located in the QTI import of *-choice questions with images used as answer options and existed since the initial implementation of QTI export/import. We advise strongly to update your ILIAS installation to the latest version (5.0.19, 5.1.15). For more detailed explanations don't hesitate to contact me. Best regards, Michael Jansen on behalf of the ILIAS e.V. and the Technical Board

8 years, 5 months

1
0
0 0

ILIAS 5.1.15 published

by Anton Arsenij

8 years, 5 months

1
0
0 0

ILIAS 5.0.19 published

by Anton Arsenij

8 years, 5 months

1
0
0 0

ILIAS 5.2.0 published

by Anton Arsenij

8 years, 5 months

1
0
0 0

ILIAS 5.1.14 published

by Anton Arsenij

8 years, 5 months

1
0
0 0

ILIAS 5.0.18 published

by Anton Arsenij

8 years, 5 months

1
0
0 0

ILIAS 5.0.18 and ILIAS 5.1.14 on January 25

by Anton Arsenij

8 years, 5 months

1
0
0 0

ILIAS 5.2.0 is not buplished yet

by Anton Arsenij

8 years, 6 months

1
0
0 0

ILIAS 5.2.0 published

by Anton Arsenij

8 years, 6 months

1
0
0 0

ILIAS Security Issue: Personal Workspace

by Michael Jansen

Dear ILIAS admin A security issue has been identified and fixed for ILIAS version 5.0 und 5.1. We advise strongly to update your ILIAS installation to the latest version (5.0.17, 5.1.13). -- Michael Jansen on behalf of the ILIAS e.V. and the Technical Board

8 years, 7 months

1
0
0 0

ILIAS 5.1.13 published

by Anton Arsenij

8 years, 7 months

1
0
0 0

Forward of moderated message

by developers-bounces＠lists.ilias.de

8 years, 7 months

1
0
0 0

Important Information: Fix for Security Issue

by timon.amstutz＠ilub.unibe.ch

Dear ILIAS-Admin A security issue has been identified and fixed for ILIAS Version 5.0 und 5.1. We advise strongly to update your ILIAS-Installation to the latest version as soon as possible. We plan to publish the details of the exploit in about four weeks. -- Timon Amstutz on behalf of the ILIAS e.V. and the Technical Board

8 years, 7 months

1
0
0 0

[Ilias-admins] Test

by Matthias Kunkel

Test test -- Matthias Kunkel ILIAS-Produktmanager Geschäftsführer ILIAS open source e-Learning e.V. Ebertplatz 14-16 • D-50668 Köln www.ilias.de kunkel(a)ilias.de verein(a)ilias.de

8 years, 8 months

1
0
0 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

ilias-admins