[15865] in bugtraq
Re: Blackboard Courseinfo v4.0 User Authentication
daemon@ATHENA.MIT.EDU (Sultan Meghji)
Thu Jul 20 16:20:20 2000
Message-Id: <200007191550.KAA03719@chef.itcs.nwu.edu>
Date: Wed, 19 Jul 2000 10:50:43 CDT
Reply-To: Sultan Meghji <meghji@CHEF.ITCS.NWU.EDU>
From: Sultan Meghji <meghji@CHEF.ITCS.NWU.EDU>
X-To: jeffb@CAMERON.EDU
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000718223417.A75963@daemon9.cameron.edu>; from "Jeff Beley" at
Jul 18, 100 10:34 pm
Actually, Blackboard 5 is not in general release yet (although I just
got an email about it). This is a problem with every version of out
right now. To my knowledge, Blackboard 5 still does not use SSL and
still does not use any sort of ticket-ed use authentication/authorization
scheme. We had to hack versions 3 and 4 with our own distro of ssl +
kerberos to get it to be even slightly 'secure'.
>
> Blackboard 5 was recently released and supposedly fixes this problem...
>
> --Jeff
>
> On Tue, Jul 18, 2000 at 07:59:57PM -0500, Pedram Amini <amini@EECS.TULANE.EDU> wrote:
> > Apparently Courseinfo (or at least the implementation I was playing with)
> > has no user authentication, meaning that anyone can force feed their own
> > form values and Perl with merrily modify the database. So for instance
> > running:
> > (all form input is in caps for readability)
> >
> > /bin/common/user_update_passwd.pl?user_id=VICTIM&firstname=FIRST&lastname=LA
> > ST&course_id=SOMECOURSE&password1=NEWPASSWD&password2=NEWPASSWD
> >
> > will set victims password to whatever you please. Of course the downside to
> > this is that the next time the user attempts to login and his/her password
> > doesn't work some suspicion is bound to arise. Another thing you can do is
> > change your "role". Example:
> >
> > /bin/common/user_update_admin.pl?user_id=MYID&course_id=SOMECOURSE&role=T&av
> > ailable_ind=Y
> >
> > will up my "role" to TA. 's' will change you back to a student, and 'g' will
> > make you an instructor (grader?) (I guess Blackboard decided to get sneaky
> > here and not to use the obvious 'i' for instructor).
> >
> > Blackboard advertises that over 1600 educational institutes use their
> > software, I haven't verified whether or not these methods work on other
> > schools.
> >
> > You can find a brief list of schools using Courseinfo v4.0 at:
> > http://www.altavista.com/cgi-bin/query?sc=on&hl=on&q=%2B%22courseinfo+v4.0%2
> > 2+%2B.edu&kl=XX&pg=q
> >
> > The only prerequisite needed to launch these attacks is a valid account,
> > which is no big deal at all since just about every site I've seen allows you
> > to create one. Even if the create account button wasn't on the main page my
> > guess is that one could add an account with the following:
> >
> > /bin/create_user_account.pl?runfirst=0&firstname=FIRST&lastname=LAST&email=M
> > E@ME.COM&user_id=MYID&password1=MYPASS&password2=MYPASS
> >
> > I thought that maybe the runfirst=0 determines whether or not the account
> > being created is the first one or not. I imagine that the first account gets
> > some kind of special privileges, however feeding it a value of '1' doesn't
> > seem to have any effect.
> >
> > I contacted Blackboard on February 15 of this year and all I've heard is a
> > thank you over the phone. I've tried writing again, and was ignored. Seeing
> > the other post on Courseinfo I figured this would be an appropriate time to
> > mention mine.
> >
> > Pedram Amini
> > amini@eecs.tulane.edu
>
> --
> Jeff Beley
> Linux System Administrator
> Cameron University
> jeffb@cameron.edu
>
--
Sultan Meghji IT Systems Engineer
Northwestern University, Evanston, Il
meghji@northwestern.edu 847.467.1600
