[NT] WebCT Campus Edition Cross Site Scripting Using CSS (@import)

From: SecuriTeam (support_at_securiteam.com)
Date: 03/31/04 

To: list@securiteam.com
Date: 31 Mar 2004 11:54:08 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  WebCT Campus Edition Cross Site Scripting Using CSS (@import)
------------------------------------------------------------------------

SUMMARY

" <http://www.webct.com/> WebCT Campus Edition is a global market-leading
course management system that enables the efficient delivery of high
quality online education. With a complete set of easy-to-use teaching and
learning tools for course development, course delivery, and course
management, WebCT Campus Edition provides the best system for student
learning and the most efficient solution for faculty of all experience
levels."

The affected version filters out dangerous HTML tags inserted into
messages when posting in a forum. However, it is possible to bypass the
protection mechanism and perform a cross-site scripting attack, steal
session information and cookies.

DETAILS

Vulnerable Systems:
 * WebCT Campus Edition version 4.1.1.5 and prior

Immune Systems:
 * WebCT CE version 4.1 SP2 Hotfix 40832
 * WebCT CE 4.0 SP3 Hotfix 40833
 * WebCT CE 3.8.4 Hotfix 8

Microsoft Internet Explorer allows execution of JavaScript code inside the
CSS @import url() parameter. With a specially crafted message a user can
insert malicious JavaScript code into a forum thread. The code can
potentially steal session cookies from users viewing the thread. Most
likely this will result in session hijacking (i.e. the session id will be
disclosed) if it weren't for the unfortunate data WebCT stores inside
cookies.

Login name and password are stored directly in the cookie and therefore
not only this allows session hijacking but also allows the attack to log
in as the victim at a later time, effectively compromising the account.
Furthermore, the file upload module used by students to upload files
directly through the system seems to be vulnerable as well. An example:
<style type="text/css">
@import url(javascript:a!ert(document.cookie));
</style>

Note that alert has been replaced by a!ert.

Vendor Status:
The vendor has been notified on 18/03/2004 and has quickly addressed the
issue. Updates are available for the following systems:

 * WebCT CE version 4.1 SP2 Hotfix 40832,
<http://download.webct.com/ce+/4.1/hotfixes/41sp2_hotfix_rel_notes.html>
http://download.webct.com/ce+/4.1/hotfixes/41sp2_hotfix_rel_notes.html
 * WebCT CE version 4.0 SP3 Hotfix 40833,
<http://download.webct.com/ce+/4.0/hotfixes/40sp3_hotfix_rel_notes.html>
http://download.webct.com/ce+/4.0/hotfixes/40sp3_hotfix_rel_notes.html
 * WebCT CE version 3.8.4 Hotfix 8,
<http://download.webct.com/ce+/3.8/hotfixes/384_hotfix_rel_notes.html>
http://download.webct.com/ce+/3.8/hotfixes/384_hotfix_rel_notes.html

ADDITIONAL INFORMATION

The information has been provided by <mailto:simon.boulet@divahost.net>
Simon Boulet.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [TOOL] Ecyware GreenBlue Inspector - Integrated Web Analyzer Environment
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Ecyware GreenBlue Inspector is an integrated web analyzer environment that ... the run or record a session for deeper analysis coverage. ... cookies or form data by ...
    (Securiteam)
  • [NEWS] Jetty Session ID Prediction Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Jetty Session ID Prediction Vulnerability ... Jetty uses java.util.Random to generate session ids. ...
    (Securiteam)
  • [NT] Citrix Access Gateway Session ID Disclosure Issue
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Citrix Access Gateway Session ID Disclosure Issue ... the Citrix Access Gateway product that will allow an attacker to gain ...
    (Securiteam)
  • [TOOL] Stompy the WWW Session Stomper
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... WWW session identifier generation algorithms. ... cookies for common problems (Daves' WebScarab, SPI Cookie Cruncher, ... Runs a suite of FIPS-140-2 PRNG evaluation tests on the sample. ...
    (Securiteam)
  • [EXPL] phpBB UID Exploit
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... browsers in such a way that when the browser will try to access the phpBB ... This exploit overwrite all phpbb cookies that have the user id specified. ... In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages. ...
    (Securiteam)