WebCT 4.1 vulnerable to XSS attacks

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: WebCT 4.1 vulnerable to XSS attacks
From: <lacertosum@xxxxxxxxx>
Date: 11 Apr 2005 18:33:51 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


The discussion board feature of WebCT is vulnerable to XSS.

Here is the proof of concept:
When you are composing a new message, in the message field of the form, type 
this:

</pre><table background=java&#x09;script:alert("XSS Warning")>
</table>

Then submit the message. You should see a JavaScript alert box that says "XSS 
Warning" when you wiew your message. It is also possible to redirect users that 
view the message to an outside page (I did this on my college's WebCT board). 
Obviously, a malicious person could exploit this to steal WebCT's cookies and 
possibly compromise user accounts. 

The redirect exploit is simple enough:
</pre><table background=java&#x09;script:location.replace("URL")>
</table>

Prev by Date: 7a69Adv#23 - Jar tool directory transversal vulnerability
Next by Date: Sql injection in jPortal version 2.3.1 (module banner)
Previous by thread: 7a69Adv#23 - Jar tool directory transversal vulnerability
Next by thread: iDEFENSE Security Advisory 04.12.05: Microsoft Windows CSRSS.EXE Stack Overflow Vulnerability
Index(es):
- Date
- Thread