jeffbCAMERON.EDU

• Next message: Darren Reed: "Re: Security hole in Win2K's FTP server"
• Previous message: Ussr Labs: "Remotely Exploitable Buffer Overflow in Outlook "Malformed E-mail MIME Header" Vulnerability"
• In reply to: Pedram Amini: "Blackboard Courseinfo v4.0 User Authentication"
• Next in thread: Sultan Meghji: "Re: Blackboard Courseinfo v4.0 User Authentication"
• Reply: Jeff Beley: "Re: Blackboard Courseinfo v4.0 User Authentication"
• Reply: Sultan Meghji: "Re: Blackboard Courseinfo v4.0 User Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Blackboard 5 was recently released and supposedly fixes this problem...

--Jeff

On Tue, Jul 18, 2000 at 07:59:57PM -0500, Pedram Amini <aminiEECS.TULANE.EDU> wrote:
> Apparently Courseinfo (or at least the implementation I was playing with)
> has no user authentication, meaning that anyone can force feed their own
> form values and Perl with merrily modify the database. So for instance
> running:
> (all form input is in caps for readability)
>
> /bin/common/user_update_passwd.pl?user_id=VICTIM&firstname=FIRST&lastname=LA
> ST&course_id=SOMECOURSE&password1=NEWPASSWD&password2=NEWPASSWD
>
> will set victims password to whatever you please. Of course the downside to
> this is that the next time the user attempts to login and his/her password
> doesn't work some suspicion is bound to arise. Another thing you can do is
> change your "role". Example:
>
> /bin/common/user_update_admin.pl?user_id=MYID&course_id=SOMECOURSE&role=T&av
> ailable_ind=Y
>
> will up my "role" to TA. 's' will change you back to a student, and 'g' will
> make you an instructor (grader?) (I guess Blackboard decided to get sneaky
> here and not to use the obvious 'i' for instructor).
>
> Blackboard advertises that over 1600 educational institutes use their
> software, I haven't verified whether or not these methods work on other
> schools.
>
> You can find a brief list of schools using Courseinfo v4.0 at:
> http://www.altavista.com/cgi-bin/query?sc=on&hl=on&q=%2B%22courseinfo+v4.0%2
> 2+%2B.edu&kl=XX&pg=q
>
> The only prerequisite needed to launch these attacks is a valid account,
> which is no big deal at all since just about every site I've seen allows you
> to create one. Even if the create account button wasn't on the main page my
> guess is that one could add an account with the following:
>
> /bin/create_user_account.pl?runfirst=0&firstname=FIRST&lastname=LAST&email=M
> EME.COM&user_id=MYID&password1=MYPASS&password2=MYPASS
>
> I thought that maybe the runfirst=0 determines whether or not the account
> being created is the first one or not. I imagine that the first account gets
> some kind of special privileges, however feeding it a value of '1' doesn't
> seem to have any effect.
>
> I contacted Blackboard on February 15 of this year and all I've heard is a
> thank you over the phone. I've tried writing again, and was ignored. Seeing
> the other post on Courseinfo I figured this would be an appropriate time to
> mention mine.
>
> Pedram Amini
> aminieecs.tulane.edu

--
Jeff Beley
Linux System Administrator
Cameron University
jeffbcameron.edu

• Next message: Darren Reed: "Re: Security hole in Win2K's FTP server"
• Previous message: Ussr Labs: "Remotely Exploitable Buffer Overflow in Outlook "Malformed E-mail MIME Header" Vulnerability"
• In reply to: Pedram Amini: "Blackboard Courseinfo v4.0 User Authentication"
• Next in thread: Sultan Meghji: "Re: Blackboard Courseinfo v4.0 User Authentication"
• Reply: Jeff Beley: "Re: Blackboard Courseinfo v4.0 User Authentication"
• Reply: Sultan Meghji: "Re: Blackboard Courseinfo v4.0 User Authentication"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]