Bugtraq mailing list archives
Re: Blackboard Courseinfo v4.0 User Authentication
From: jeffb () CAMERON EDU (Jeff Beley)
Date: Tue, 18 Jul 2000 22:34:17 -0500
Blackboard 5 was recently released and supposedly fixes this problem... --Jeff On Tue, Jul 18, 2000 at 07:59:57PM -0500, Pedram Amini <amini () EECS TULANE EDU> wrote:
Apparently Courseinfo (or at least the implementation I was playing with) has no user authentication, meaning that anyone can force feed their own form values and Perl with merrily modify the database. So for instance running: (all form input is in caps for readability) /bin/common/user_update_passwd.pl?user_id=VICTIM&firstname=FIRST&lastname=LA ST&course_id=SOMECOURSE&password1=NEWPASSWD&password2=NEWPASSWD will set victims password to whatever you please. Of course the downside to this is that the next time the user attempts to login and his/her password doesn't work some suspicion is bound to arise. Another thing you can do is change your "role". Example: /bin/common/user_update_admin.pl?user_id=MYID&course_id=SOMECOURSE&role=T&av ailable_ind=Y will up my "role" to TA. 's' will change you back to a student, and 'g' will make you an instructor (grader?) (I guess Blackboard decided to get sneaky here and not to use the obvious 'i' for instructor). Blackboard advertises that over 1600 educational institutes use their software, I haven't verified whether or not these methods work on other schools. You can find a brief list of schools using Courseinfo v4.0 at: http://www.altavista.com/cgi-bin/query?sc=on&hl=on&q=%2B%22courseinfo+v4.0%2 2+%2B.edu&kl=XX&pg=q The only prerequisite needed to launch these attacks is a valid account, which is no big deal at all since just about every site I've seen allows you to create one. Even if the create account button wasn't on the main page my guess is that one could add an account with the following: /bin/create_user_account.pl?runfirst=0&firstname=FIRST&lastname=LAST&email=M E () ME COM&user_id=MYID&password1=MYPASS&password2=MYPASS I thought that maybe the runfirst=0 determines whether or not the account being created is the first one or not. I imagine that the first account gets some kind of special privileges, however feeding it a value of '1' doesn't seem to have any effect. I contacted Blackboard on February 15 of this year and all I've heard is a thank you over the phone. I've tried writing again, and was ignored. Seeing the other post on Courseinfo I figured this would be an appropriate time to mention mine. Pedram Amini amini () eecs tulane edu
-- Jeff Beley Linux System Administrator Cameron University jeffb () cameron edu
Current thread:
- Blackboard Courseinfo v4.0 User Authentication Pedram Amini (Jul 18)
- Re: Blackboard Courseinfo v4.0 User Authentication Jeff Beley (Jul 18)
- CRYX present: netscape profesional services ftp service l33thax0r (Jul 19)
- Re: CRYX present: netscape profesional services ftp service Michal Zalewski (Jul 22)
- Re: Blackboard Courseinfo v4.0 User Authentication Sultan Meghji (Jul 19)
- CRYX present: netscape profesional services ftp service l33thax0r (Jul 19)
- Re: Blackboard Courseinfo v4.0 User Authentication Jeff Beley (Jul 18)