- ilias-admins - lists.ilias.de

by Anton Arsenij

7 years, 3 months

1
0
0 0

ILIAS 5.2.x Security Issues: Receive all emails to specific local role

by Michael Jansen

Dear list members, a security issue has been identified (thanks to Timon Amstutz [Uni Bern and ILIAS Technical Board]) and is fixed for ILIAS 5.2.x. The issue was located in the 'Mail System' and affected the recipient string parsing. This led to a situation where an attacker in a group named 'admin' received every email that was addressed to any assumed distinct local role having 'admin' in its name (e.g. "Course Administrator <#admin@[NameOfAnArbitraryCourse]>"). We advise strongly to update your ILIAS installation to the latest version 5.2.7 . Best regards, Michael Jansen on behalf of the ILIAS e.V. and the Technical Board

7 years, 3 months

1
0
0 0

ILIAS 5.2.7 published

by Anton Arsenij

7 years, 3 months

1
0
0 0

Re: [ilAdmins] [dev] ILIAS 5.2.x: XML issues with PHP 5.6.x

by Michael Jansen

Hi Ralf, Am 16.08.2017 um 15:59 schrieb Ralf Mattes: > Am Mittwoch, 16. August 2017 15:13 CEST, Michael Jansen <mjansen(a)databay.de> schrieb: > >> Dear developers and administrators, >> >> the following information may save you some time as it took me a while to figure it out: >> >> Today I noticed some strange issues regarding XML handling in ILIAS with (v5.2.6 2017-07-13, PHP 5.6.31-4+ubuntu16.04.1+deb.sury.org+4). Initially, I discovered a problem in one of my plugins which deals with XML that uses simplexml_load_file() with a local(!) file. >> >> The error message I got from it was: >> >> simplexml_load_file(): I/O warning : failed to load external entity "[MY_FILE]" > > Hmm - you should have posted to this list earlier, that one is a really good ol' friend of mine ... > >> <...> >> >> When I added ... >> >> libxml_disable_entity_loader(false); >> >> ... in my plugin before using simplexml_load_file() and before the ILIAS SOAP server is instantiated >> in ./webservice/soap/server.php, the issue seems to be fixed for both cases. >> >> libxml_disable_entity_loader() is not thread safe, so this is the root of all evil (including but not >> limited to pineapple on pizza). > To be technically correct, what's bitting you here isn't thread safety (I assume you are not running in > a multi-threaded server environment) but global state. As (almost) always, global state is unfortunate. "thread safe" was not the technically correct term. I noticed this after I pushed the "Send" button in my email client ;-). I just meant: It persists and could be caused by another process. > >> If ... >> >> libxml_disable_entity_loader(true); >> ... is called in another script (or another PHP application) and not resetted to false, the problematic state persists globally. There are even some calls of with a boolean true in ILIAS (PHPExcel, SVG Sanitizer), which is dangerous in case an error occured and the state could not be properly resetted to a boolean false. > Yes, that's exactly why global state is so dangerous even in single threaded environments. But, since external entity loading > is known as a hard to control entry point for vulnerabilities it actually is a good idea to disable it. Yes, global state is often evil. Especially, when it is mutated by other libraries/dependencies or even other processes. > > BTW, do you now see why I'm so scared by other global state manipulations (umask, for example)? > > Cheers, Ralf Mattes > > Best regards, Michael

7 years, 4 months

1
0
0 0

ILIAS 5.2.x: XML issues with PHP 5.6.x

by Michael Jansen

Dear developers and administrators, the following information may save you some time as it took me a while to figure it out: Today I noticed some strange issues regarding XML handling in ILIAS with (v5.2.6 2017-07-13, PHP 5.6.31-4+ubuntu16.04.1+deb.sury.org+4). Initially, I discovered a problem in one of my plugins which deals with XML that uses simplexml_load_file() with a local(!) file. The error message I got from it was: simplexml_load_file(): I/O warning : failed to load external entity "[MY_FILE]" I checked everything twice, the 'cwd', the include path, PHP ini settings ... Surprisingly (for me), I was able to read the contents of the XML file one line before I called simplexml_load_file(). Passing the XML string to simplexml_load_string() worked fine. The error occured randomly (I initially thought), so I really had no idea what could cause that. Then our administrators reported issues when copying/cloning courses via SOAP in customer installations. I exported and imported the course in question as XML into my local installation (which worked fine) and tried to copy the course to reproduce the reported issue afterwards. It worked perfectly with PHP 7.0, but failed with PHP 5.6. The error log contained the same I/O warning mentioned above. When I added ... libxml_disable_entity_loader(false); ... in my plugin before using simplexml_load_file() and before the ILIAS SOAP server is instantiated in ./webservice/soap/server.php, the issue seems to be fixed for both cases. libxml_disable_entity_loader() is not thread safe, so this is the root of all evil (including but not limited to pineapple on pizza). If ... libxml_disable_entity_loader(true); ... is called in another script (or another PHP application) and not resetted to false, the problematic state persists globally. There are even some calls of with a boolean true in ILIAS (PHPExcel, SVG Sanitizer), which is dangerous in case an error occured and the state could not be properly resetted to a boolean false. Best regards, Michael

7 years, 4 months

1
0
0 0

ILIAS 5.1.19 published

by Anton Arsenij

7 years, 5 months

1
0
0 0

ILIAS 5.0.23 published

by Anton Arsenij

7 years, 5 months

1
0
0 0

Note about this ML

by Richard Klees

Dear ILIAS-Admins and all other interested readers of this mailing list, please note that this mailing list is moderated from now on, i.e. you won't be able to post content at will on this list. We, the Technical Board of the ILIAS Society, want to establish clear and reliable communication channels with and within our community. This mailing list is intended for the following audience and content [1]: Mailing list for people doing ILIAS server administration. By joining you will get: * announcements of new ILIAS releases * announcements of security issues * announcements from SIGs that target admins (SIG Performance,...) If you want to publish content that fits this description, feel free to post it to the list and we will be happy to approve it. For discussions with your fellow admins, please use the according forum on ilias.de [2]. [1] http://lists.ilias.de/cgi-bin/mailman/listinfo/ilias-admins [2] https://www.ilias.de/docu/goto_docu_frm_1875.html Best regards! -- Richard Klees on behalf of the Technical Board of the ILIAS Society and also Lead Developer Qualifizierungsmanagement --------------------------------------------- CaT Concepts and Training GmbH Vorgebirgstraße 338 50969 Köln Fon: +49 (0)221 / 46 75 76 - 56 Fax: +49 (0)221 / 46 75 76 - 09 Mail: richard.klees(a)concepts-and-training.de Web: http://www.concepts-and-training.de --------------------------------------------- Geschäftsführung: Sven Kapust, Gerald Konrad, Alexandra Oehlke, Sandra Röbbelen, Volker Röbbelen, Denis Witt Amtsgericht Köln HRB 57804 Ust-ID-Nr.: DE 814694228 Sitz: Köln ---------------------------------------------

7 years, 5 months

1
0
0 0

ILIAS 5.2.6 published

by Anton Arsenij

7 years, 5 months

4
4
0 0

Sicherheitslücke bekannt ?

by Ralf Schenk

Hallo zusammen, ich finde in den Release-Notes zu 5.2.5 keinerlei Angaben hierzu, wem ist da etwas bekannt ? Ist das auch in 5.1.x gefixt ? Michael hat gerade Urlaub. Ist das kritisch? -----Ursprüngliche Nachricht----- Von: CERT-Bund [mailto:certbund@bsi.bund.de] Gesendet: Donnerstag, 22. Juni 2017 08:17 An: ILIAS Cc: IT-SiBe Betreff: Fwd: [CERT-Bund#2017061828000462] XSS-Schwachstelle auf der Lernplattform HS-Bund Sehr geehrte Damen und Herren, wir wurden darüber informiert, dass die Lernplattform der HS-Köln aufgrund einer nicht aktuellen ILIAS-Installation verwundbar für eine XSS-Schwachstelle ist. Website: https://lernplattform.bund.de/ Location: /setup/setup.php?cmd={inject-here}&lang=de Payload: "><script>alert(1)</script> Vulnerability: XSS Reflected Versionen von ILIAS < 5.2.5 sind dafür verwundbar. In der aktuellsten Version ist die Schwachstelle behoben. Wir empfehlen daher, die ILIAS-Installation auf den neusten Stand zu heben. Mit freundlichen Grüßen das Team CERT-Bund Im Auftrag Dr. Timo Steffens -- Bundesamt für Sicherheit in der Informationstechnik (BSI) Referat CK22 - CERT-Bund Godesberger Allee 185-189 D-53175 Bonn Telefon: +49 (0)228 99 9582 5110 Telefax: +49 (0)228 99 9582 7025 Web: https://www.bsi.bund.de/CERT-Bund/ PGP & S/MIME: https://www.bsi.bund.de/DE/Themen/Cyber-Sicherheit/Aktivitaeten/CERT-Bund/K… -- *Ralf Schenk* fon +49 (0) 24 05 / 40 83 70 fax +49 (0) 24 05 / 40 83 759 mail *rs(a)databay.de* <mailto:rs@databay.de> *Databay AG* Jens-Otto-Krag-Straße 11 D-52146 Würselen *www.databay.de* <http://www.databay.de> Sitz/Amtsgericht Aachen • HRB:8437 • USt-IdNr.: DE 210844202 Vorstand: Ralf Schenk, Dipl.-Ing. Jens Conze, Aresch Yavari, Dipl.-Kfm. Philipp Hermanns Aufsichtsratsvorsitzender: Wilhelm Dohmen ------------------------------------------------------------------------

7 years, 6 months

3
2
0 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

ilias-admins