Blackboard cross-domain frameset loading

["Cheng, Wang" <ChengW () SACREDHEART EDU>]

First of all Happy New Year to everyone!

We were not aware of this and I had not seen any discussion about this on the list so just in case it is not common 
knowledge I wanted to let those schools using Blackboard know that it has a cross-domain frameset loading vulnerability 
by which you can load virtually any url into Blackboard's main frame by simply passing the url to 
http://[yourblackboardsite.school.edu]/webapps/portal/frameset.jsp?tab=courses&url=//[ANYURL<http://[yourblackboardsite.school.edu]/webapps/portal/frameset.jsp?tab=courses&url=//%5bANYURL>]

i.e.:
https://blackboard.sacredheart.edu/webapps/portal/frameset.jsp?tab=courses&url=//www.amazon.com will load Amazon's home 
page into our Blackboard site without any authentication or warning.

After some brief research it appears this vulnerability has existed in some form or another since at least version 6 (I 
believe we currently use v8 with the latest app pack).  Some examples: http://secunia.com/advisories/17991/ and 
http://www.securityfocus.com/bid/15814 which seems to indicate it was patched back in v6.  I hope the "fix" Blackboard 
issued was not simply require the addition of "//" to the front of the url passed...

There is still some great potential for session hijacking or phishing scams pretending to be official university sites 
under your Blackboard banner.  Something to watch out for.

BR,
    Conrado Wang Cheng Niemeyer
    Information Security Officer
    Sacred Heart University