exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

webctCE41.txt

webctCE41.txt
Posted Mar 28, 2004
Authored by Simon Boulet

WebCT Campus Edition 4.1 suffers from cross site scripting vulnerabilities.

tags | advisory, vulnerability, xss
SHA-256 | 9811273a7d7f6f67502a55786b4bd23a23642644d3f8eaebf2dc404d231626bb

webctCE41.txt

Change Mirror Download

Name: WebCT Campus Edition 4.1 - Cross site scripting using CSS @import
Release date: 2004/03/29
Application: WebCT Campus Edition 4.1 (4.1.1.5), possibly others
Vendor URL: http://www.webct.com/ (WebCT Inc.)
Author: Simon Boulet <simon.boulet@divahost.net>

Legal Notice:
--------------------
This Advisory is Copyright (c) 2004 Simon Boulet
You may distribute it unmodified.
You may NOT modify it and distribute it or distribute parts of it
without the author's written permission.

Disclaimer:
--------------------
The information in this advisory is believed to be true though it may
be false. The opinions expressed in this advisory are my own and not of
any company. The usual standard disclaimer applies, especially the fact
that Simon Boulet is not liable for any damages caused by direct or
indirect use of the information or functionality provided by this
advisory. Simon Boulet bears no responsibility for content or misuse of
this advisory or any derivatives thereof.

Description:
--------------------
WebCT Campus Edition is a course management system which allows the
delivery of course material and assessments online. It is used by many
colleges and universities world-wide.

This version of WebCT allows HTML tags to be inserted when posting new
messages on a forum. Although WebCT filters dangerous tags insertion,
it is possible to bypass this security, resulting in a cross-site
scripting (XSS) vulnerability.

Problem:
--------------------
Microsoft Internet Explorer allows execution of JavaScript code inside
the CSS @import url() parameter. A user could post a specially crafted
message using the @import method to insert malicious JavaScript code in
a forum thread. The inserted code could potentially steal session
cookies from users accessing the given thread.

In most circumstances, this problem would result in the user’s session
hijacking (ex.: stealing the session id). But unfortunately, WebCT
Campus Edition stores sensitive information, such as login name and
password, directly in user’s cookies.

Furthermore, the file upload module, which allows students to upload
files directly through WebCT, seems to be vulnerable to the same issue.

Example:
--------------------
A user could post the following code through a forum thread:

<style type="text/css">
@import url(javascript:alert(document.cookie));
</style>

Solution:
--------------------
The vendor was contacted on 2004/03/18 and has quickly addressed this
issue. Updates (untested) are available for the following products:

WebCT CE 4.1 SP2 Hotfix 40832
http://download.webct.com/ce+/4.1/hotfixes/41sp2_hotfix_rel_notes.html

WebCT CE 4.0 SP3 Hotfix 40833
http://download.webct.com/ce+/4.0/hotfixes/40sp3_hotfix_rel_notes.html

WebCT CE 3.8.4 Hotfix 8
http://download.webct.com/ce+/3.8/hotfixes/384_hotfix_rel_notes.html



Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close