Media Module and Player are vulnerable against script injection
74 views
Skip to first unread message
Lars Kiesow
Jul 10, 2017, 8:54:01 AM7/10/17
to Opencast Security Notices
The Opencast 2.x Media Module and Player are vulnerable against script
injection, making it possible to cause arbitrary code to be executed by
visiting users or administrators.
The Problem
-----------
If you ever wanted to break your Opencast, please create a title like
this and go to the media module and/or the player:
<script type=application/javascript>window.location.href='http://lkiesow.de'</script>
Of course, this is just fun and far from the worst you can do with this.
For example, everyone allowed to ingest media could ingest a script
which would try to delete data through the REST interfaces or create a
new admin user.
This script would then automatically be executed if ever the
administrator would see that recording and you would end up with broken
data or a hijacked system.
In fact, this issue even applies to slide texts. Hence, depending on
the filtering you use for text extraction, lecturers can even inject
scripts by having them on their slides. Although, by default, HTML tags
will be filtered!
Affected Versions
-----------------
This issue should affect all current Opencast installations (2.2 (not
verified), 2.3, 3.x and develop).
Fix Version
-----------
The issue has been fixed in Opencast 2.3.3 and 3.0
Credits
-------
The issue was discovered and fixed by Lars Kiesow.
injection, making it possible to cause arbitrary code to be executed by
visiting users or administrators.
The Problem
-----------
If you ever wanted to break your Opencast, please create a title like
this and go to the media module and/or the player:
<script type=application/javascript>window.location.href='http://lkiesow.de'</script>
Of course, this is just fun and far from the worst you can do with this.
For example, everyone allowed to ingest media could ingest a script
which would try to delete data through the REST interfaces or create a
new admin user.
This script would then automatically be executed if ever the
administrator would see that recording and you would end up with broken
data or a hijacked system.
In fact, this issue even applies to slide texts. Hence, depending on
the filtering you use for text extraction, lecturers can even inject
scripts by having them on their slides. Although, by default, HTML tags
will be filtered!
Affected Versions
-----------------
This issue should affect all current Opencast installations (2.2 (not
verified), 2.3, 3.x and develop).
Fix Version
-----------
The issue has been fixed in Opencast 2.3.3 and 3.0
Credits
-------
The issue was discovered and fixed by Lars Kiesow.
Reply all
Reply to author
Forward
0 new messages