HTML documents - Fluid Topics - 3.11

Fluid Topics Configuration and Administration Guide

Category
Reference Guides
Audience
public
Version
3.11

In the HTML documents section of the Security administration interface, users with the ADMIN role can configure a toggle to prevent privilege escalation attacks.

A privilege escalation attack can occur in the following circumstances:

  1. A user with the KHUB_ADMIN or CONTENT_PUBLISHER role uploads an HTML document.
  2. A user with the ADMIN, USERS_ADMIN and/or PORTAL_ADMIN role views that document in the Viewer page.
  3. The user with the KHUB_ADMIN or CONTENT_PUBLISHER role injects JavaScript into the HTML document to obtain rights reserved for users with the ADMIN, USERS_ADMIN and/or PORTAL_ADMIN role.

HTML documents include all unstructured documents, map attachments and resources with the mime type text/html.

When the toggle is enabled, users must select the Download option to access an HTML document. The Download option is available in the Search page next to the document's title, in the Viewer page content pane, and in the View page title bar. Any attempt to open the document directly in the Viewer page will fail.

Disabling the toggle makes the portal vulnerable to privilege escalation attacks.