Vendor : WEBCT URL : http://webct.com/ Version : WebCT Campus Edition Version 4.1 Risk : Cross site scripting
Description: WebCT is the world's leading provider of e-learning systems for educational
institutions.
WebCT's vision is to deliver innovative e-learning solutions to help institutions
improve educational outcomes for students around the world.
WebCT is a trusted industry leader in providing e-learning systems for educational
institutions. Thousands of institutions in more than 70 countries worldwide are expanding
the boundaries of teaching and learning with WebCT.
Cross site scripting: The filtering script for the discussion board doesnt filter iframe,
img, or object. All of which can take advantage of xss and because of the way my schoo was
setup this lead to full access to their email, and account information.
Solution: The easiest way would be to just disallow iframe,img,and object tags or html tags
at all.
Credits: Credits goto http://hackthissite.org. It provided a nice, open, legal environment
for me to try new things and learn from those who know. A place where you are not
reprimanded even if u deface a page or two. A place where I started with no knowledge and
in less than a year found new vulnerabilities of my own. Thank you http://hackthissite.org.
Lab rats: The Nick's, Shrinidhi, Charbel and most importantly to Halley, you give me the
strength and courage to do all that I do, without you I am nothing. Thank you sweetheart.
Exploit: This is exploited using iframe,img, or object tags to redirect you to a maliscious
site.
Spiffomatic64 Hacking is an art-form
_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar � get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
