Educause Security Discussion mailing list archives
Re: Blackboard cross-domain frameset loading
From: Mike Austin <mga+educause () UVM EDU>
Date: Tue, 6 Jan 2009 13:11:07 -0500
Thanks for this information. We were worried enough about the phishing implications of this that we implemented our own fix. A co-worker of mine snooped through the java and was able to come up with a fix that we have implemented on our production Blackboard servers (after having run in test for two days). Patch and installation information at: http://www.uvm.edu/~bcodding/ticker/archives/16 The fix shows an error, rather than the site: https://bb.uvm.edu/webapps/portal/frameset.jsp?tab=courses&url=//www.amazon.com Mike -- Systems Architecture & Administration University of Vermont On Sat, 3 Jan 2009, Cheng, Wang wrote:
First of all Happy New Year to everyone! We were not aware of this and I had not seen any discussion about this on the list so just in case it is not common knowledge I wanted to let those schools using Blackboard know that it has a cross-domain frameset loading vulnerability by which you can load virtually any url into Blackboard's main frame by simply passing the url to http://[yourblackboardsite.school.edu]/webapps/portal/frameset.jsp?tab=courses&url=//[ANYURL<http://[yourblackboardsite.school.edu]/webapps/portal/frameset.jsp?tab=courses&url=//%5bANYURL>] i.e.: https://blackboard.sacredheart.edu/webapps/portal/frameset.jsp?tab=courses&url=//www.amazon.com will load Amazon's home page into our Blackboard site without any authentication or warning. After some brief research it appears this vulnerability has existed in some form or another since at least version 6 (I believe we currently use v8 with the latest app pack). Some examples: http://secunia.com/advisories/17991/ and http://www.securityfocus.com/bid/15814 which seems to indicate it was patched back in v6. I hope the "fix" Blackboard issued was not simply require the addition of "//" to the front of the url passed... There is still some great potential for session hijacking or phishing scams pretending to be official university sites under your Blackboard banner. Something to watch out for. BR, Conrado Wang Cheng Niemeyer Information Security Officer Sacred Heart University
Current thread:
- Blackboard cross-domain frameset loading Cheng, Wang (Jan 02)
- <Possible follow-ups>
- Re: Blackboard cross-domain frameset loading Mike Austin (Jan 06)