('binary' encoding is not supported, stored as-is) Product: Blackboard 5 Vendor: Blackboard inc Website: www.Blackboard.com Reported: 24 apr 2002: Discovered CSS in blackboard program and company.blackboard.com. Reported CSS in blackboard program at http://company.blackboard.com/contactus/Suggestions.cgi. Reported CSS in company.blackboard.com to dyaskinat_private Problem: Blackboard 5 contains multiple input validation errors, exploitable with Cross-site scripting, an example: http:// [server]/bin/login.pl?course_id="><SCRIPT>alert()</SCRIPT> The people at Blackboard seem not to have a clue about CSS and have therefore almost totally forgotten to check the user input against illegal characters. Even more interresting than the "poisoned link" example above is the possibility to create a "CSS Traps" by poisoning messages in the group discussion board. SCRIPTs can be inserted into the title of messages. Some more examples of the apparant ignorance of the people at blackboard: http://company.blackboard.com/contactus/ProcessInfo.cgi?Response=7&CTID="] [SCRIPT]alert(document.cookie)[/SCRIPT] http://company.blackboard.com/contactus/index.cgi?Message=[SCRIPT]alert (document.cookie)[/SCRIPT] (replace [ & ] with < & >, duh...) Berend-Jan Wever aka SkyLined http://spoor12.edup.tudelft.nl http://spoor12.edup.tudelft.nl/SkyLined v4.2/?Cross site scripting archive
This archive was generated by hypermail 2b30 : Mon Jul 01 2002 - 14:55:44 PDT