ilias-admins

ilias-admins@lists.ilias.de

2 participants
239 discussions

Start a nNew thread

ILIAS 5.2.10 published

by Anton Arsenij

7 years, 5 months

ILIAS Security Issue: Media Objects

by Michael Jansen

Dear list members, a security issue has been identified (thanks to chbi from https://chbi.eu/) in the media object component and fixed for ILIAS version 5.1, 5.2 and 5.3beta. We advise strongly to update your ILIAS installation to the latest version. For more detailed explanations don't hesitate to contact us. Best regards, Michael Jansen on behalf of the ILIAS e.V. and the Technical Board

7 years, 6 months

ILIAS 5.2.9 published

by Anton Arsenij

7 years, 6 months

ILIAS 5.1.21 published

by Anton Arsenij

7 years, 6 months

Setup Maintainership and Revision

by Richard Klees

Dear ILIAS-Admins, in JourFixe-2017-09-25 [1] Alex Killing declared to step down from the maintainership of the Setup and Matthias Kunkel called for applicants for that vacancy. I am indeed interested to take over the maintainership and the CaT Concepts and Training GmbH is willing to make investments in the setup. Since I have some opinions about the general direction the setup should take and I'm not willing to just continue with the current model or blindly accept payment for any feature in the setup, I want to check my ideas with the community first before finally applying for maintainership. I created a featurewiki page [2] containing my ideas. Please leave comments and questions in the discussion section of this page as usual. [1] https://www.ilias.de/docu/goto_docu_wiki_wpage_4835_1357.html [2] https://www.ilias.de/docu/goto_docu_wiki_wpage_4900_1357.html Best Regards! -- Richard Klees Lead Developer Qualifizierungsmanagement --------------------------------------------- CaT Concepts and Training GmbH Vorgebirgstraße 338 50969 Köln Fon: +49 (0)221 / 46 75 76 - 56 Fax: +49 (0)221 / 46 75 76 - 09 Mail: richard.klees(a)concepts-and-training.de Web: http://www.concepts-and-training.de --------------------------------------------- Geschäftsführung: Sven Kapust, Gerald Konrad, Alexandra Oehlke, Sandra Röbbelen, Volker Röbbelen, Denis Witt Amtsgericht Köln HRB 57804 Ust-ID-Nr.: DE 814694228 Sitz: Köln ---------------------------------------------

7 years, 6 months

ILIAS 5.2.8 published

by Anton Arsenij

7 years, 7 months

ILIAS 5.1.20 published

by Anton Arsenij

7 years, 7 months

ILIAS 5.2.x Security Issues: Receive all emails to specific local role

by Michael Jansen

Dear list members, a security issue has been identified (thanks to Timon Amstutz [Uni Bern and ILIAS Technical Board]) and is fixed for ILIAS 5.2.x. The issue was located in the 'Mail System' and affected the recipient string parsing. This led to a situation where an attacker in a group named 'admin' received every email that was addressed to any assumed distinct local role having 'admin' in its name (e.g. "Course Administrator <#admin@[NameOfAnArbitraryCourse]>"). We advise strongly to update your ILIAS installation to the latest version 5.2.7 . Best regards, Michael Jansen on behalf of the ILIAS e.V. and the Technical Board

7 years, 8 months

ILIAS 5.2.7 published

by Anton Arsenij

7 years, 8 months

Re: [ilAdmins] [dev] ILIAS 5.2.x: XML issues with PHP 5.6.x

by Michael Jansen

Hi Ralf, Am 16.08.2017 um 15:59 schrieb Ralf Mattes: > Am Mittwoch, 16. August 2017 15:13 CEST, Michael Jansen <mjansen(a)databay.de> schrieb: > >> Dear developers and administrators, >> >> the following information may save you some time as it took me a while to figure it out: >> >> Today I noticed some strange issues regarding XML handling in ILIAS with (v5.2.6 2017-07-13, PHP 5.6.31-4+ubuntu16.04.1+deb.sury.org+4). Initially, I discovered a problem in one of my plugins which deals with XML that uses simplexml_load_file() with a local(!) file. >> >> The error message I got from it was: >> >> simplexml_load_file(): I/O warning : failed to load external entity "[MY_FILE]" > > Hmm - you should have posted to this list earlier, that one is a really good ol' friend of mine ... > >> <...> >> >> When I added ... >> >> libxml_disable_entity_loader(false); >> >> ... in my plugin before using simplexml_load_file() and before the ILIAS SOAP server is instantiated >> in ./webservice/soap/server.php, the issue seems to be fixed for both cases. >> >> libxml_disable_entity_loader() is not thread safe, so this is the root of all evil (including but not >> limited to pineapple on pizza). > To be technically correct, what's bitting you here isn't thread safety (I assume you are not running in > a multi-threaded server environment) but global state. As (almost) always, global state is unfortunate. "thread safe" was not the technically correct term. I noticed this after I pushed the "Send" button in my email client ;-). I just meant: It persists and could be caused by another process. > >> If ... >> >> libxml_disable_entity_loader(true); >> ... is called in another script (or another PHP application) and not resetted to false, the problematic state persists globally. There are even some calls of with a boolean true in ILIAS (PHPExcel, SVG Sanitizer), which is dangerous in case an error occured and the state could not be properly resetted to a boolean false. > Yes, that's exactly why global state is so dangerous even in single threaded environments. But, since external entity loading > is known as a hard to control entry point for vulnerabilities it actually is a good idea to disable it. Yes, global state is often evil. Especially, when it is mutated by other libraries/dependencies or even other processes. > > BTW, do you now see why I'm so scared by other global state manipulations (umask, for example)? > > Cheers, Ralf Mattes > > Best regards, Michael

7 years, 8 months

← Newer
1
...
17
18
19
20
21
22
23
24
Older →

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

ilias-admins