ilias-admins

ilias-admins@lists.ilias.de

251 discussions

ILIAS Security Issues: Self Registration and Course/File Import

by Michael Jansen

Dear list members, several security issues have been identified (thanks to Nicolas Schäfli [studer + raimann ag] and Johannes [KIT]) and fixed for ILIAS version 5.0, 5.1 and 5.2. The first weakness was located in the code validation part of the self registration. The second type of vulnerability affected the XML import of course and file objects. It was possible to copy arbitrary files into the media object directory (course import), and to copy a source file to an arbitrary location on the file system (file import). We advise strongly to update your ILIAS installation to the latest version. For more detailed explanations don't hesitate to contact us. Best regards, Michael Jansen on behalf of the ILIAS e.V. and the Technical Board

8 years, 6 months

ILIAS 5.1.16 published

by Anton Arsenij

8 years, 6 months

ILIAS 5.2.2 published

by Anton Arsenij

8 years, 6 months

ILIAS 5.0.20 published

by Anton Arsenij

8 years, 6 months

ILIAS 5.2.1 published

by Anton Arsenij

8 years, 6 months

ILIAS Security Issue: Follow Up Media Objects

by Michael Jansen

Dear list members, because of the feedback the Technical Board received after our last email regarding the changed behavior of media objects, we had a new and fruitful discussion on the matter. As an immediate/intermediate solution, it is now possible do define a black list of file extensions in the administration of media objects. Files of type 'html' are forbidden by default now. You would be required to change this setting in case HTML files are important for your scenarios. If you still plan to allow HTML files and are afraid of the security issue: * It should NOT be possible to steal the user's session cookie because session cookies in ILIAS are marked as 'httponly' and cannot be accessed by JavaScript code located in the uploaded HTML files (media objects). * Nevertheless the user's session cookie will STILL be sent in case a malicious script requests (e.g. via AJAX/XmlHttpRequest) ILIAS server-side scripts, so these requests are sent in the context of the user to whom the media object is presented. As a medium-term solution, the Technical Board highly appreciates and supports the introduction of methods like 'Subdomain Isolation' (presented by Pascal Grube last year) which ensures both: The possibility to upload HTML/JavaScript files and a certain level of security. We will get in contact with stakeholders interested in funding and further pushing the implementation of this. Best regards, Michael Jansen on behalf of the ILIAS e.V. and the Technical Board

8 years, 6 months

ILIAS Security Issue: Media objects

by Michael Jansen

Dear list members, a security issue has been identified (big thanks to Nicolas Schäfli) and fixed for ILIAS versions >= 5.0. It was possible to upload HTML files as media objects (e.g. in wiki pages) which could be used to inject JavaScript. According to the Jour Fixe decision the responsible component maintainer introduced some changes regarding the handling of HTML files uploaded as media objects. Jour Fixe, FEB 13, 2017: "To patch this problem we decided to prohibit the upload of HTML and the interpretation of HTML in media objects for 5.0 to 5.2." If *.html files are uploaded they are always renamed to *.sec now (similar to the handling of executables). The rendering has been deactivated. Existing *.html files (uploaded before the patch) are not rendered anymore, but there isn't a concept of deleting/renaming these files, yet. Best regards, Michael Jansen on behalf of the ILIAS e.V. and the Technical Board

8 years, 6 months

ILIAS Security Issue: QTI Import

by Michael Jansen

Dear list members, a security issue has been identified (big thanks to Thomas Hufschmidt) and fixed for ILIAS version 5.0 and 5.1. For version 5.2.0, the issue was already fixed at the time it was released. The vulnerability was located in the QTI import of *-choice questions with images used as answer options and existed since the initial implementation of QTI export/import. We advise strongly to update your ILIAS installation to the latest version (5.0.19, 5.1.15). For more detailed explanations don't hesitate to contact me. Best regards, Michael Jansen on behalf of the ILIAS e.V. and the Technical Board

8 years, 7 months

ILIAS 5.1.15 published

by Anton Arsenij

8 years, 7 months

ILIAS 5.0.19 published

by Anton Arsenij

8 years, 7 months

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

ilias-admins