Hakase SCORM Course Builder and CVE-2018-9206

We recently saw a security advisory (CVE-2018-9206) about the BlueImp jQuery File Upload version 9.22.0 which we use in Hakase SCORM Course Builder. The advisory is for an exploit for uploading arbitrary files and executing them on the server.

Hakase SCORM Course Builder is not susceptible to these attacks.

Specifically because

  • Hakase SCORM Course Builder is written in Java and the documented attacks are for PHP
  • We filter incoming files and only allow a limited set of images
  • We use Apache tomcat and not Apache httpd
  • We use Spring Security for limiting access to files, not .htaccess
  • We upgrade the versions of the libraries as often as possible and the next version, kenichi-3.0.3 will have the new version of the front end upload code

So, your data is safe with us.

CEO, Tetsuwan Technology
We love learning.

Posted in Blog.