[15851] in bugtraq
Re: Blackboard Courseinfo v4.0 User Authentication
daemon@ATHENA.MIT.EDU (Jeff Beley)
Wed Jul 19 11:46:43 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20000718223417.A75963@daemon9.cameron.edu>
Date: Tue, 18 Jul 2000 22:34:17 -0500
Reply-To: Jeff Beley <jeffb@CAMERON.EDU>
From: Jeff Beley <jeffb@CAMERON.EDU>
X-To: Pedram Amini <amini@EECS.TULANE.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <NDBBJCMNOLEKOCMECKFHCEPMCGAA.amini@eecs.tulane.edu>; from
amini@EECS.TULANE.EDU on Tue, Jul 18, 2000 at 07:59:57PM -0500
Blackboard 5 was recently released and supposedly fixes this problem...
--Jeff
On Tue, Jul 18, 2000 at 07:59:57PM -0500, Pedram Amini <amini@EECS.TULANE.EDU> wrote:
> Apparently Courseinfo (or at least the implementation I was playing with)
> has no user authentication, meaning that anyone can force feed their own
> form values and Perl with merrily modify the database. So for instance
> running:
> (all form input is in caps for readability)
>
> /bin/common/user_update_passwd.pl?user_id=VICTIM&firstname=FIRST&lastname=LA
> ST&course_id=SOMECOURSE&password1=NEWPASSWD&password2=NEWPASSWD
>
> will set victims password to whatever you please. Of course the downside to
> this is that the next time the user attempts to login and his/her password
> doesn't work some suspicion is bound to arise. Another thing you can do is
> change your "role". Example:
>
> /bin/common/user_update_admin.pl?user_id=MYID&course_id=SOMECOURSE&role=T&av
> ailable_ind=Y
>
> will up my "role" to TA. 's' will change you back to a student, and 'g' will
> make you an instructor (grader?) (I guess Blackboard decided to get sneaky
> here and not to use the obvious 'i' for instructor).
>
> Blackboard advertises that over 1600 educational institutes use their
> software, I haven't verified whether or not these methods work on other
> schools.
>
> You can find a brief list of schools using Courseinfo v4.0 at:
> http://www.altavista.com/cgi-bin/query?sc=on&hl=on&q=%2B%22courseinfo+v4.0%2
> 2+%2B.edu&kl=XX&pg=q
>
> The only prerequisite needed to launch these attacks is a valid account,
> which is no big deal at all since just about every site I've seen allows you
> to create one. Even if the create account button wasn't on the main page my
> guess is that one could add an account with the following:
>
> /bin/create_user_account.pl?runfirst=0&firstname=FIRST&lastname=LAST&email=M
> E@ME.COM&user_id=MYID&password1=MYPASS&password2=MYPASS
>
> I thought that maybe the runfirst=0 determines whether or not the account
> being created is the first one or not. I imagine that the first account gets
> some kind of special privileges, however feeding it a value of '1' doesn't
> seem to have any effect.
>
> I contacted Blackboard on February 15 of this year and all I've heard is a
> thank you over the phone. I've tried writing again, and was ignored. Seeing
> the other post on Courseinfo I figured this would be an appropriate time to
> mention mine.
>
> Pedram Amini
> amini@eecs.tulane.edu
--
Jeff Beley
Linux System Administrator
Cameron University
jeffb@cameron.edu
