Bugtraq mailing list archives
Security Fix for Blackboard CourseInfo 4.0
From: aleph1 () securityfocus com (aleph1 () securityfocus com)
Date: Wed, 19 Jul 2000 15:19:04 -0700
----- Forwarded message from Daniel Cane <dcane () blackboard com> ----- Message-ID: <FB48B8939127D411B07700B0D04903323B6E0A () bbmail1 blackboard net> From: Daniel Cane <dcane () blackboard com> To: "'aleph1 () securityfocus com'" <aleph1 () securityfocus com> Subject: RE: Security Fix for Blackboard CourseInfo 4.0 Date: Wed, 19 Jul 2000 16:18:50 -0400 X-Mailer: Internet Mail Service (5.5.2650.21) I would love you to. There has also been some traffic about some other bugs which have been fixed in previous versions. Could you post the following: ----------- Blackboard has recently learned about a possible security issue with Microsoft NT that could impact Blackboard customers running Blackboard CourseInfo 4.0 with Microsoft NT. This combination does NOT affect clients using CourseInfo 4.0 on Unix or any client who has upgraded to Blackboard 5. In collaboration with Microsoft, the Blackboard product development team has developed a fix that will generate the level of security that our customers expect. The patch encrypts the information that Blackboard stores within the System Registry. You can have direct access to the download at http://company.blackboard.com/Support/files/Courseinfo4hotfix.exe. The patch is also available by following these instructions: o Go to http://support.blackboard.com o Go to the "System Administrator Support" area and login with your user ID and password o Click on "What's New" o Click the item titled: "NT Security Encryption Patch" Once the patch has been downloaded, follow the regular procedures to upgrade your server. Also, if you have not already done so, it is suggested that you protect your registry from network access since the default permissions within the Windows NT Server do not restrict who has remote access to the registry. Microsoft has provided detailed instructions at (http://www.microsoft.com/TechNet/security/c2config.asp#25). Additionally, there have been messages floating around the net regarding the ability for users to change each other's passwords and change their security level within the software. As of the February 2000 release of the software, Build 408 of CourseInfo 4.0, the security questions concerns mentioned on several listservs by which unauthorized users can change passwords or upgrade roles through circumventing the user interface and posting directly to the application itself do not exist. Blackboard continues its mission to provide the best possible online academic teaching and learning experience possible. If you have any questions about this patch or the upgrade, please feel free to contact our Technical Support Line at (888) 788-5264. Thanks! Daniel Cane Senior Vice President Advanced Research and Development Blackboard, Inc. 1899 L St. NW 5th Floor Washington, DC 20036 202-463-4860 ext. 204 (voice) 202-463-4863 (fax) dcane () blackboard com http://www.blackboard.com/ -----Original Message----- From: aleph1 () securityfocus com [mailto:aleph1 () securityfocus com] Sent: Wednesday, July 19, 2000 3:47 PM To: Daniel Cane Subject: Re: Security Fix for Blackboard CourseInfo 4.0 Daniel, Care to post this information to the BUGTRAQ mailing list as well? Its at bugtraq () securityfocus com. Thanks. * Daniel Cane (dcane () BLACKBOARD COM) [000718 20:24]:
To whom it may concern: Blackboard has recently learned about a possible security issue with Microsoft NT that could impact Blackboard customers running Blackboard CourseInfo 4.0 with Microsoft NT. This combination does NOT affect
clients
using CourseInfo 4.0 on Unix or any client who has upgraded to Blackboard
5.
The Blackboard product development team has developed a fix that will generate the level of security that our customers expect. The patch encrypts the information that Blackboard stores within the System
Registry.
You can have direct access to the download at http://company.blackboard.com/Support/files/Courseinfo4hotfix.exe <http://company.blackboard.com/Support/files/Courseinfo4hotfix.exe> . The patch is also available by following these instructions: o Go to http://support.blackboard.com
<http://support.blackboard.com>
o Go to the "System Administrator Support" area and login with your user ID and password o Click on "What's New" o Click the item titled: "NT Security Encryption Patch" Once the patch has been downloaded, follow the regular procedures to
upgrade
your server. Also, if you have not already done so, it is suggested that you protect
your
registry from network access since the default permissions within the Windows NT Server do not restrict who has remote access to the registry. Microsoft has provided detailed instructions at (http://www.microsoft.com/TechNet/security/c2config.asp#25 <http://www.microsoft.com/TechNet/security/c2config.asp#25> ). Blackboard continues its mission to provide the best possible online academic teaching and learning experience possible. If you have any questions about this patch or the upgrade, please feel free to contact our Technical Support
Line
at (888) 788-5264. Regards, Blackboard, Inc.
-- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum ----- End forwarded message ----- -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
Current thread:
- Re: CheckPoint FW1 BUG, (continued)
- Re: CheckPoint FW1 BUG uh Clem (Jul 14)
- Re: CheckPoint FW1 BUG Hugo.van.der.Kooij () CAIW NL (Jul 14)
- Re: CheckPoint FW1 BUG Jon Paul, Nollmann (Jul 17)
- Re: CheckPoint FW1 BUG Benjamin Smee (Jul 19)
- HP Jetdirect - Invalid FTP Command DoS Peter Grundl (Jul 19)
- Re: CheckPoint FW1 BUG Per Hoff (Jul 19)
- Alert: Buffer Overrun is O'Reilly WebsitePro httpd32.exe (CISADV000717) Cerberus Security Team (Jul 19)
- Alert: Buffer Overrun is O'Reilly WebsitePro webfind.exe (CISADV000718) Cerberus Security Team (Jul 19)
- Outlook exploit fix opens old hole? Ben (Jul 19)
- [COVERT-2000-08] O'Reilly WebSite Professional Overflow COVERT Labs (Jul 19)
- Security Fix for Blackboard CourseInfo 4.0 aleph1 () securityfocus com (Jul 19)
- [TL-Security-Announce] wu-ftpd TLSA2000014-1 Joe Little (Jul 19)
- @stake iKey 1000 Security Advisory Kingpin (Jul 20)
- Re: @stake iKey 1000 Security Advisory Darren Reed (Jul 20)
- Security Update: DoS on gpm Technical Support (Jul 20)
- Re: CheckPoint FW1 BUG uh Clem (Jul 14)
- Re: CheckPoint FW1 BUG Nicolas FISCHBACH (Jul 18)
- [Paper] Format bugs. Pascal Bouchareine (Jul 18)
- (New ?) Macro security hole in Word 97 Bongard, Dominique (Jul 21)
- Re: (New ?) Macro security hole in Word 97 Bronek Kozicki (Jul 22)