SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   WebCT Vendors:   WebCT
WebCT Input Validation Flaw Permits Remote Cross-Site Scripting Attacks Using @import url()
SecurityTracker Alert ID:  1009591
SecurityTracker URL:  http://securitytracker.com/id/1009591
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 29 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.1.1.5, possibly other versions
Description:   An input validation vulnerability was reported in WebCT Campus Edition. A remote authenticated user can conduct cross-site scripting attacks.

Simon Boulet reported that the software does not properly filter HTML code from user-supplied input when creating new messages. A remote user can reportedly inject scripting code within the CSS @import url() parameter (supported by Microsoft Internet Explorer browsers).

A remote user can submit specially crafted input that, when viewed by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the WebCT software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

It is also reported that the software stores the user's password in a cookie, so a cross-site scripting attack may allow a remote user to obtain a target user's password.

A similar flaw is reported in the file upload module.

Impact:   A remote user can access the target user's cookies (including authentication cookies) associated with the site running the WebCT software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued the following fixes:

WebCT CE 4.1 SP2 Hotfix 40832
http://download.webct.com/ce+/4.1/hotfixes/41sp2_hotfix_rel_notes.html

WebCT CE 4.0 SP3 Hotfix 40833
http://download.webct.com/ce+/4.0/hotfixes/40sp3_hotfix_rel_notes.html

WebCT CE 3.8.4 Hotfix 8
http://download.webct.com/ce+/3.8/hotfixes/384_hotfix_rel_notes.html

Vendor URL:  www.webct.com/products/viewpage?name=products_campus_edition (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Red Hat Enterprise), Linux (Red Hat Linux), UNIX (Solaris - SunOS), Windows (2000), Windows (2003)

Message History:   None.


 Source Message Contents

Subject:  WebCT Campus Edition 4.1 - Cross site scripting using CSS @import



Name: WebCT Campus Edition 4.1 - Cross site scripting using CSS @import
Release date: 2004/03/29
Application: WebCT Campus Edition 4.1 (4.1.1.5), possibly others
Vendor URL: http://www.webct.com/ (WebCT Inc.)
Author: Simon Boulet <simon.boulet@divahost.net>

Legal Notice:
--------------------
This Advisory is Copyright (c) 2004 Simon Boulet
You may distribute it unmodified.
You may NOT modify it and distribute it or distribute parts of it  
without the author's written permission.

Disclaimer:
--------------------
The information in this advisory is believed to be true though it may  
be false. The opinions expressed in this advisory are my own and not of  
any company. The usual standard disclaimer applies, especially the fact  
that Simon Boulet is not liable for any damages caused by direct or  
indirect use of the information or functionality provided by this  
advisory. Simon Boulet bears no responsibility for content or misuse of  
this advisory or any derivatives thereof.

Description:
--------------------
WebCT Campus Edition is a course management system which allows the  
delivery of course material and assessments online. It is used by many  
colleges and universities world-wide.

This version of WebCT allows HTML tags to be inserted when posting new  
messages on a forum. Although WebCT filters dangerous tags insertion,  
it is possible to bypass this security, resulting in a cross-site  
scripting (XSS) vulnerability.

Problem:
--------------------
Microsoft Internet Explorer allows execution of JavaScript code inside  
the CSS @import url() parameter. A user could post a specially crafted  
message using the @import method to insert malicious JavaScript code in  
a forum thread. The inserted code could potentially steal session  
cookies from users accessing the given thread.

In most circumstances, this problem would result in the user’s session  
hijacking (ex.: stealing the session id). But unfortunately, WebCT  
Campus Edition stores sensitive information, such as login name and  
password, directly in user’s cookies.

Furthermore, the file upload module, which allows students to upload  
files directly through WebCT, seems to be vulnerable to the same issue.
	
Example:
--------------------
A user could post the following code through a forum thread:

<style type="text/css">
@import url(javascript:alert(document.cookie));
</style>

Solution:
--------------------
The vendor was contacted on 2004/03/18 and has quickly addressed this  
issue. Updates (untested) are available for the following products:

WebCT CE 4.1 SP2 Hotfix 40832
http://download.webct.com/ce+/4.1/hotfixes/41sp2_hotfix_rel_notes.html

WebCT CE 4.0 SP3 Hotfix 40833
http://download.webct.com/ce+/4.0/hotfixes/40sp3_hotfix_rel_notes.html

WebCT CE 3.8.4 Hotfix 8
http://download.webct.com/ce+/3.8/hotfixes/384_hotfix_rel_notes.html




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC