Worrying stuff Kathryn!
The first lesson that any (web) developer should learn is not to trust the
end-user and to sanity check everything being returned to the program -
something that the Blackboard developers obviously haven't bothered to do.
Surprising really, because all it usually takes is a single line of code to
strip out (or convert) the naughty characters that normally appear in any
cross-site scripting exploit.
regards
Dave Pattern
INHALE Project
University of Huddersfield
-----Original Message-----
From: Kathryn Dawes
To: [log in to unmask]
Sent: 04/07/02 11:24
Subject: cross-site scripting
Hi,
Appears that anyone with a small amount of knowledge of Javascript can
mess
around with Blackboard to quite an extent. Also seems Bb do know about
it.
I tried out the exploits mentioned in the message from a bug mailing
list
(below). They work on Blackboard.com and on our
Bb site. I'm not a Javascript expert so I don't know enough to really
try
and mess things up, but I did try out adding some script to the heading
for
a message in a discussion board - that discussion is now dead, deceased,
fallen off the perch...... All I did
was add the following line of code to the message header;
<script>alert("Hello world")</script>
You now get a little alert box popping up (empty) and no bottom of the
page - so any messages added won't show up and the controls to
acknowledge
having read the message aren't there.
We also tried putting the same script in the address bar of IE on the
login
page. When I try it I get a forms text box appearing at the top of the
page - I
'believe' that you can then enter stuff into this to do nastier stuff -
but
I'm not sure what.
We don't anticipate a huge problem with people messing with this but it
would only take one...
Mailing-List: contact [log in to unmask]; run by ezmlm
From: Berend-Jan Wever <[log in to unmask]>
> To: [log in to unmask]
> Subject: CSS in blackboard
>
> Product: Blackboard 5
> Vendor: Blackboard inc
> Website: www.Blackboard.com
>
> Reported: 24 apr 2002: Discovered CSS in blackboard program and
> company.blackboard.com. Reported CSS in blackboard program at
> http://company.blackboard.com/contactus/Suggestions.cgi.
> Reported CSS in company.blackboard.com to [log in to unmask]
>
> Problem: Blackboard 5 contains multiple input validation errors,
> exploitable with Cross-site scripting, an example: http://
> [server]/bin/login.pl?course_id="><SCRIPT>alert()</SCRIPT>
> The people at Blackboard seem not to have a clue about CSS and have
> therefore almost totally forgotten to check the user input
> against illegal
> characters. Even more interresting than the "poisoned link" example
above
> is the possibility to create a "CSS Traps" by poisoning messages in
the
> group discussion board. SCRIPTs can be inserted into the title of
> messages.
>
> Some more examples of the apparant ignorance of the people at
blackboard:
>
http://company.blackboard.com/contactus/ProcessInfo.cgi?Response=7&CTID=
"]
> [SCRIPT]alert(document.cookie)[/SCRIPT]
>
http://company.blackboard.com/contactus/index.cgi?Message=[SCRIPT]alert
> (document.cookie)[/SCRIPT]
> (replace [ & ] with < & >, duh...)
>
> Berend-Jan Wever aka SkyLined
> http://spoor12.edup.tudelft.nl
>
> http://spoor12.edup.tudelft.nl/SkyLined v4.2/?Cross site scripting
archive
____________________________________________
Kathryn Dawes
Cynorthwy-ydd Technoleg Dysgu / Learning Technology Assistant
E-mail / E-bost : [log in to unmask]
Tel / Fftn : 01970 62 1776
For Blackboard queries, please use the new [log in to unmask] address
Blackboard Help online:
http://www.inf.aber.ac.uk/learningtechnology/Bb/HelpSheets/HelpHome.asp
Computer Aided Assessment:
http://www.inf.aber.ac.uk/learningtechnology/caa/evaluation/caaevalhome.
asp
____________________________________________
|