Educause Security Discussion mailing list archives

Re: Blackboard cross-domain frameset loading

From: Mike Austin <mga+educause () UVM EDU>
Date: Tue, 6 Jan 2009 13:11:07 -0500

Thanks for this information.  We were worried enough about the phishing
implications of this that we implemented our own fix.

A co-worker of mine snooped through the java and was able to come up with
a fix that we have implemented on our production Blackboard servers (after
having run in test for two days).

Patch and installation information at:

http://www.uvm.edu/~bcodding/ticker/archives/16

The fix shows an error, rather than the site:

https://bb.uvm.edu/webapps/portal/frameset.jsp?tab=courses&url=//www.amazon.com

Mike
--
Systems Architecture & Administration
University of Vermont


On Sat, 3 Jan 2009, Cheng, Wang wrote:

First of all Happy New Year to everyone!

We were not aware of this and I had not seen any discussion about this on the list so just in case it is not common knowledge I wanted to 
let those schools using Blackboard know that it has a cross-domain frameset loading vulnerability by which you can load virtually any url 
into Blackboard's main frame by simply passing the url to 
http://[yourblackboardsite.school.edu]/webapps/portal/frameset.jsp?tab=courses&url=//[ANYURL<http://[yourblackboardsite.school.edu]/webapps/portal/frameset.jsp?tab=courses&url=//%5bANYURL>]

i.e.:
https://blackboard.sacredheart.edu/webapps/portal/frameset.jsp?tab=courses&url=//www.amazon.com will load Amazon's home 
page into our Blackboard site without any authentication or warning.

After some brief research it appears this vulnerability has existed in some form or another since at least version 6 (I believe we 
currently use v8 with the latest app pack).  Some examples: http://secunia.com/advisories/17991/ and http://www.securityfocus.com/bid/15814 
which seems to indicate it was patched back in v6.  I hope the "fix" Blackboard issued was not simply require the addition of 
"//" to the front of the url passed...

There is still some great potential for session hijacking or phishing scams pretending to be official university sites 
under your Blackboard banner.  Something to watch out for.

BR,
   Conrado Wang Cheng Niemeyer
   Information Security Officer
   Sacred Heart University

Current thread:

Blackboard cross-domain frameset loading Cheng, Wang (Jan 02)
- <Possible follow-ups>
- Re: Blackboard cross-domain frameset loading Mike Austin (Jan 06)