Go to my main page at alanmacek.com

Go to my WebCT Vulernabilities and Problems page.

Javascript Vulernability in WebCT v3.1.3

Introduction

WebCT is an E-Learning system targeted at university and school settings. One of the courses I am taking uses WebCT v3.1.3. See my other page on a more general discussion of WebCT and its problems.

Javascript is a client-side scripting language for the web. It is written inside web pages and is executed by the browser of a visiting user. There are built in limits to what javascript programs can do and access but are general quite powerful in their potential abilities. This document discusses a vulernability in WebCT that allows students to write javascript programs and have them executed by other visitors to the system. There is the potential for this vulernability to be used maliciously but I strong encourage people to be responsible and alert their WebCT administrators if they feel their system is vulernable.

The vulernability described here is known generally as a 'cross-site scripting vulnerabilty'. A search for 'cross-site' may be informative.

Return to top.

Scope of the Problem

There are many places in the WebCT system where students can enter text. Some examples are:

In all these cases, the text entered by the student is incorporated into a webpage which is displayed to other visitors. Therefore the text entered by a student is parsed as HTML by the browser and displayed.

In most of the text places listed above, checks are done for javascript. If a student types javascript into the body of a bulletin board posting then a warning appears forcing the user to remove the javascript before the message is posted.

There are a few places where this check is NOT done. An example of this is the 'add link' functionality of the student homepages.

Return to top.

Example Exploit

This example takes advantage of the missing checks in the 'add link' function of the student homepage in WebCT v3.1.3 (and possibly other versions).

  1. Log in to WebCT and follow the links to your student homepage.
  2. Click on the 'Modify or Add Link' radio button and click 'Go'.
  3. Click on 'Add' to make a new link.
  4. Type "test link" or something into the 'Title' field.
  5. Type the following line of code into the URL field:
    http://www.alanmacek.com/webct/" OnMouseOver="javascript:alert('POP UP!');

    Note that there is no trailing quote mark and the it is single quotes around 'POP UP'.
  6. Click on 'continue' to add the new link
  7. Test the link by placing your cursor over the link and notice as the alert box appears (assuming you have javascript enabled on your browser).
  8. Until you remove the link, every person who visits your page and moves their cursor over the link will have the alert box appear.

This simple example shows how the failure of WebCT to check the text being entered for the link allows a user to use javascript on their homepage.

Return to top.

Limitations but Potential Serious Problems

Javascript does have limitations. For example javascript can not access the username or password of the person visiting the web page. I am pretty sure that javascript can not access the users harddrive.

Some of the things javascript can do are quite serious. For instance a javascript can set and read cookies on the visitor's computer. With this vulernability in WebCT, a malicous script could read or manipulate any cookie saved on the visitor's computer by the WebCT server. Since WebCT does not use cookies this risk is limited but the WebCT server could be running other websites in addition to WebCT.

Another example of what a malicous javascript can do is described in this article by SANS.org to redirect users to a external server which convinces the users to enter their username and password before returning them to the original system.

Return to top.

Contact Information

To discuss any of these issues or for more information, contact me. I put together this document to point out what I feel are major problems with the current implementation of WebCT at UBC. If any of my points mentioned above are in error or have been addressed I will be glad to hear about it and will immediately update this document.

I am senior year student at the University of British Columbia who is currently required to use WebCT for one of my courses.

Alan Macek

Return to top.

Links

See the links section at my general WebCT page.

Return to top.

Appendix: Example of Using Javascript and Cookies

This example places some code in place of the 'counter' feature of the personal homepage. Follow the procedure for the earlier example but instead of editing 'links', edit the counter. Then click on 'configuration' and type in the following code into the 'before' and 'after' text boxes.

The following code uses cookies to keep track of how many times each browser visits the page. Similar code could read or overwrite any cookie on the user's browser placed by other students and/or WebCT. The only mitigating factor is that WebCT does not use cookies at this time.

"Text Before" code:

<SCRIPT> function sC(n,v,x) { document.cookie = n + "=" + v + "; expires=" + x.toGMTString(); } function gC(n) { var dc=document.cookie; n = n + "="; var b = dc.indexOf("; " + n); if (b == -1) { b = dc.indexOf(n); if (b!=0) return null; } else b += 2; var e = dc.indexOf(";", b); e = ((e == -1) ? dc.length : e); return dc.substring(b + n.length, e); }</SCRIPT> <!--

"Text After" code:

--> <SCRIPT> var v = gC("c"); v = (!v ? 1 : parseInt(v) + 1); var e = new Date(); e.setTime(e.getTime() + 365*24*60*60*1000); sC("c",v,e); document.write("Visits by <B>YOU</B>: " + v); </SCRIPT>

Return to top.

Updated: October 21, 2001
Contact: Alan Macek
URL: http://www.alanmacek.com