Hallo zusammen,
ich finde in den Release-Notes zu 5.2.5 keinerlei Angaben hierzu, wem
ist da etwas bekannt ? Ist das auch in 5.1.x gefixt ?
Michael hat gerade Urlaub.
Ist das kritisch?
-----Ursprüngliche Nachricht-----
Von: CERT-Bund [mailto:certbund@bsi.bund.de]
Gesendet: Donnerstag, 22. Juni 2017 08:17
An: ILIAS
Cc: IT-SiBe
Betreff: Fwd: [CERT-Bund#2017061828000462] XSS-Schwachstelle auf der Lernplattform HS-Bund
Sehr geehrte Damen und Herren,
wir wurden darüber informiert, dass die Lernplattform der HS-Köln aufgrund einer nicht aktuellen ILIAS-Installation verwundbar für eine XSS-Schwachstelle ist.
Website: https://lernplattform.bund.de/
Location: /setup/setup.php?cmd={inject-here}&lang=de
Payload: "><script>alert(1)</script>
Vulnerability: XSS Reflected
Versionen von ILIAS < 5.2.5 sind dafür verwundbar. In der aktuellsten Version ist die Schwachstelle behoben.
Wir empfehlen daher, die ILIAS-Installation auf den neusten Stand zu heben.
Mit freundlichen Grüßen
das Team CERT-Bund
Im Auftrag
Dr. Timo Steffens
--
Bundesamt für Sicherheit in der Informationstechnik (BSI)
Referat CK22 - CERT-Bund
Godesberger Allee 185-189
D-53175 Bonn
Telefon: +49 (0)228 99 9582 5110
Telefax: +49 (0)228 99 9582 7025
Web: https://www.bsi.bund.de/CERT-Bund/
PGP & S/MIME: https://www.bsi.bund.de/DE/Themen/Cyber-Sicherheit/Aktivitaeten/CERT-Bund/K…
--
*Ralf Schenk*
fon +49 (0) 24 05 / 40 83 70
fax +49 (0) 24 05 / 40 83 759
mail *rs(a)databay.de* <mailto:rs@databay.de>
*Databay AG*
Jens-Otto-Krag-Straße 11
D-52146 Würselen
*www.databay.de* <http://www.databay.de>
Sitz/Amtsgericht Aachen • HRB:8437 • USt-IdNr.: DE 210844202
Vorstand: Ralf Schenk, Dipl.-Ing. Jens Conze, Aresch Yavari, Dipl.-Kfm.
Philipp Hermanns
Aufsichtsratsvorsitzender: Wilhelm Dohmen
------------------------------------------------------------------------
Dear ILIAS admins and members of this mailing list,
This mail is only relevant for you if you have activated Mathjax support in ILIAS to render LaTeX (for mathematical expressions).
The default Mathjax server mentioned in the Mathjax administration of ILIAS has been shut down recently. If you use this URL to render LaTeX in the browser, this won’t work any more. There is a new default Mathjax server available at https://cdnjs.cloudflare.com <https://cdnjs.cloudflare.com/>. To use this server, please enter the following string to the input ‚URL to Mathjax‘ at Administration » Third-Party-Software » Settings » Mathjax :
https://cdnjs.cloudflare.com/ajax/libs/mathjax/2.7.1/MathJax.js?config=TeX-…
For more information about LaTeX support in ILIAS, please join the SIG Mathe+ILIAS : http://www.ilias.de/docu/goto_docu_grp_5183.html
Kind regards,
Matthias
* * * * *
Matthias Kunkel
ILIAS Product Manager
General Manager ILIAS open source e-Learning e.V.
Office:
Ebertplatz 14-16 • D-50668 Koeln
www.ilias.de <http://www.ilias.de/>
verein(a)ilias.de <mailto:verein@ilias.de>
* * * * *
Dear ILIAS-Administrators
Two years ago the versioning of the ILIAS-Source-Code has been moved from Subversion (SVN) to Git. To make the migration for all Installations as smooth as possible, a synchronization from Github to the SVN-Server has been established which synced all the maintained versions of ILIAS (4.3, 4.4, 5.0) back to the SVN-Server. Besides those Release-Branches many Custom-Branches has been used on the SVN-Server.
There are two services which will be obsolete at some point:
- the synchronization from Github to SVN
- the SVN-Server itself
We kindly ask you to participate the following survey: http://www.ilias.de/docu/goto_docu_svy_5157.html
We than are able to decide upon the shutdown-dates of the services mentioned above. Thank you very much!
Best regards
Fabian
--
Fabian Schmid
Member of the Executive Board
Head of Software Development
studer + raimann ag
IT- and Learning-Solutions
Farbweg 9
3400 Burgdorf
main +41 31 972 52 22
support +41 31 972 52 30
direct +41 31 972 52 27
fs(a)studer-raimann.ch
studer-raimann.ch
--
offene Stellen bei der studer + raimann ag
https://studer-raimann.ch/ueber-uns/news/offene-stellen/
Wanna know more? Contact us directly or find information online:
Corporate Website studer-raimann.ch | Product Website ilias.ch
Facebook <https://www.facebook.com/studer.raimann> | XING
<https://www.xing.com/companies/studer+raimannag> | LinkedIn
<https://www.linkedin.com/company/studer-raimann-ag>
Dear ILIAS admins,
the Jour Fixe of the ILIAS Society discussed the question how to proceed
with the supported PHP versions on the last meeting [1].
To finally take the decision on the next meeting on 22.05 we need your
feedback on the issue:
Is there anyone who is in severe trouble if we would drop the support
for PHP 5 completely with the subsequent release of ILIAS (i.e. ILIAS
5.4)? Do you see any problems if ILIAS 5.4, that will be released
somewhere around end of 2018, only supports PHP > 7?
Please use the wiki page [1] to voice your opinion.
If we do not get any feedback we will decide to drop support for PHP 5
completely with the subsequent ILIAS release.
[1] http://www.ilias.de/docu/goto_docu_wiki_wpage_4770_1357.html
[2] http://php.net/releases/7_1_0.php
Best regards!
--
Richard Klees
on behalf of the Technical Board of the ILIAS Society
and also
Lead Developer Qualifizierungsmanagement
---------------------------------------------
CaT Concepts and Training GmbH
Vorgebirgstraße 338
50969 Köln
Fon: +49 (0)221 / 46 75 76 - 56
Fax: +49 (0)221 / 46 75 76 - 09
Mail: richard.klees(a)concepts-and-training.de
Web: http://www.concepts-and-training.de
---------------------------------------------
Geschäftsführung:
Sven Kapust, Gerald Konrad, Alexandra Oehlke,
Sandra Röbbelen, Volker Röbbelen, Denis Witt
Amtsgericht Köln HRB 57804
Ust-ID-Nr.: DE 814694228
Sitz: Köln
---------------------------------------------
Dear list members,
again a media object related security issue has been identified and
fixed for ILIAS versions >= 5.0. A big "Thank you" goes to researcher
Julian Rittweger for reporting this issue.
It was possible to upload SVG files as media objects (e.g. in wiki
pages) which could be used to inject and execute JavaScript (persistent
XSS).
With the latest fix of the responsible code maintainer, SVG files will
be sanitized when uploaded to ILIAS.
We advise strongly to update your ILIAS installation to the latest
version.
Best regards,
Michael Jansen
on behalf of the ILIAS e.V. and the Technical Board
