As promised some details on the security vulnerability I recently found. It concerned the Blackboard Content System where users could upload files with scripting and then lure other users to those pages and hijack their blackboard sessions and potentially steal their passwords using a specially crafted XMLHTTP request: https://listserv.surfnet.nl/scripts/wa.exe?A2=ind05&L=cert-bulletins&F=&S=&P=1115
The thing is, this is absolutely not new. I didn't invent it myself, it comes straight from a whitepaper dated 2003-01-20: http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf Blackboard has begun issuing a series of patches, but apart from disabling TRACE it looks like they want to focus on filtering javascript. It will be interesting to see if they can find javascript better then I can hide it :) Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Purchase Studio MX with Flash Pro from House of Fusion, a Macromedia Authorized Affiliate and support the CF community. http://www.houseoffusion.com/banners/view.cfm?bannerid=51 Message: http://www.houseoffusion.com/lists.cfm/link=i:5:171074 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/5 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:5 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.5 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
