ILIAS Learning Management System Server-Side Request Forgery Vulnerability

A server-side request forgery (SSRF) vulnerability has been identified in ILIAS Learning Management System versions 4.3 prior to 5.1. This vulnerability allows attackers to read local files by exploiting the portfolio PDF export functionality. By injecting a script that utilizes XMLHttpRequest, attackers can retrieve the contents of local files when the portfolio is exported to PDF.

Impact

Exploitation of this vulnerability could lead to unauthorized access to local files on the server where ILIAS is hosted.

Reproduction

To reproduce this vulnerability, create a portfolio in ILIAS 4.3. Inject HTML into the portfolio that includes a script referencing an external server. This script should use XMLHttpRequest to request a local file, such as '/etc/passwd'. When the portfolio is exported to PDF, the injected script will execute and retrieve the specified file's contents, which will then be included in the downloaded PDF.