Lightbox publishing is usually used to publish image assets, however Asset Bank allows any type of file, including HTML files, to be stored as an asset and allows HTML files to be published as part of published lightboxes.
This introduces a potential security issue, whereby a non-admin user could publish an HTML file containing malicious JavaScript and then entice an admin user to visit that HTML file in a browser, causing the JavaScript to be run with admin permissions.
The default configuration of Asset Bank versions since 3.1602.9 protects against this vulnerability by blocking HTML files within published lightboxes - any attempt to access them results in a "HTML Assets in Published Lightbox Blocked" message.
However, if you are using a web server such as IIS or Apache to serve your published lightboxes (instead of Tomcat, which is the out of the box configuration) then you should configure the web server to deny access to HTML files (i.e. files with .htm or .html extensions) to protect against this security issue.
Comments
0 comments
Please sign in to leave a comment.