In the HTML documents section of the Security administration interface, users with the ADMIN
role can configure a toggle to prevent privilege escalation attacks.
A privilege escalation attack can occur in the following circumstances:
-
A user with the
KHUB_ADMIN
orCONTENT_PUBLISHER
role uploads an HTML document. -
A user with the
ADMIN
,USERS_ADMIN
and/orPORTAL_ADMIN
role views that document in the Viewer page. -
The user with the
KHUB_ADMIN
orCONTENT_PUBLISHER
role injects JavaScript into the HTML document to obtain rights reserved for users with theADMIN
,USERS_ADMIN
and/orPORTAL_ADMIN
role.
HTML documents include all unstructured documents, map attachments and resources with the mime type text/html
.
When the toggle is enabled, users must select the Download option to access an HTML document. The Download option is available in the Search page next to the document's title, in the Viewer page content pane, and in the View page title bar. Any attempt to open the document directly in the Viewer page will fail.
Disabling the toggle makes the portal vulnerable to privilege escalation attacks.