<<< Date Index >>>     <<< Thread Index >>>

WebCT Campus Edition 4.1 - Cross site scripting using CSS @import




Name: WebCT Campus Edition 4.1 - Cross site scripting using CSS @import
Release date: 2004/03/29
Application: WebCT Campus Edition 4.1 (4.1.1.5), possibly others
Vendor URL: http://www.webct.com/ (WebCT Inc.)
Author: Simon Boulet <simon.boulet@xxxxxxxxxxxx>

Legal Notice:
--------------------
This Advisory is Copyright (c) 2004 Simon Boulet
You may distribute it unmodified.
You may NOT modify it and distribute it or distribute parts of it without the author's written permission.

Disclaimer:
--------------------
The information in this advisory is believed to be true though it may be false. The opinions expressed in this advisory are my own and not of any company. The usual standard disclaimer applies, especially the fact that Simon Boulet is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory. Simon Boulet bears no responsibility for content or misuse of this advisory or any derivatives thereof.

Description:
--------------------
WebCT Campus Edition is a course management system which allows the delivery of course material and assessments online. It is used by many colleges and universities world-wide.

This version of WebCT allows HTML tags to be inserted when posting new messages on a forum. Although WebCT filters dangerous tags insertion, it is possible to bypass this security, resulting in a cross-site scripting (XSS) vulnerability.

Problem:
--------------------
Microsoft Internet Explorer allows execution of JavaScript code inside the CSS @import url() parameter. A user could post a specially crafted message using the @import method to insert malicious JavaScript code in a forum thread. The inserted code could potentially steal session cookies from users accessing the given thread.

In most circumstances, this problem would result in the user’s session hijacking (ex.: stealing the session id). But unfortunately, WebCT Campus Edition stores sensitive information, such as login name and password, directly in user’s cookies.

Furthermore, the file upload module, which allows students to upload files directly through WebCT, seems to be vulnerable to the same issue.
        
Example:
--------------------
A user could post the following code through a forum thread:

<style type="text/css">
@import url(javascript:alert(document.cookie));
</style>

Solution:
--------------------
The vendor was contacted on 2004/03/18 and has quickly addressed this issue. Updates (untested) are available for the following products:

WebCT CE 4.1 SP2 Hotfix 40832
http://download.webct.com/ce+/4.1/hotfixes/41sp2_hotfix_rel_notes.html

WebCT CE 4.0 SP3 Hotfix 40833
http://download.webct.com/ce+/4.0/hotfixes/40sp3_hotfix_rel_notes.html

WebCT CE 3.8.4 Hotfix 8
http://download.webct.com/ce+/3.8/hotfixes/384_hotfix_rel_notes.html