Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Servers :: cinfo2.htm

Blackboard CourseInfo 4.0 no user authentication?



Vulnerability

    Courseinfo

Affected

    Blackboard Courseinfo v4.0

Description

    Pedram Amini gound following.  Apparently Courseinfo (or at  least
    the  implementation  Pedram   was  playing  with)   has  no   user
    authentication, meaning that anyone can force feed their own  form
    values and Perl with merrily modify the database.  So for instance
    running (all form input is in caps for readability):

        /bin/common/user_update_passwd.pl?user_id=VICTIM&firstname=FIRST&lastname=LAST&course_id=SOMECOURSE&password1=NEWPASSWD&password2=NEWPASSWD

    will set victims password to  whatever you please.  Of  course the
    downside to this is that the next time the user attempts to  login
    and  his/her  password  doesn't  work  some  suspicion is bound to
    arise.  Another thing you can do is change your "role".  Example:

        /bin/common/user_update_admin.pl?user_id=MYID&course_id=SOMECOURSE&role=T&available_ind=Y

    will up my "role" to TA. 's' will change you back to a student,
    and 'g' will make you an instructor (grader?).

    Blackboard advertises  that over  1600 educational  institutes use
    their  software.   You  can  find  a  brief  list of schools using
    Courseinfo v4.0 at:

        http://www.altavista.com/cgi-bin/query?sc=on&hl=on&q=%2B%22courseinfo+v4.0%22+%2B.edu&kl=XX&pg=q

    The only prerequisite  needed to launch  these attacks is  a valid
    account, which is no big deal  at all since just about every  site
    seen allows you to create one.  Even if the create account  button
    wasn't on the  main page guess  is that one  could add an  account
    with the following:

        /bin/create_user_account.pl?runfirst=0&firstname=FIRST&lastname=LAST&email=ME@ME.COM&user_id=MYID&password1=MYPASS&password2=MYPASS

    Pedram thought that maybe the runfirst=0 determines whether or not
    the account being created  is the first one  or not.  He  imagines
    that  the  first  account  gets  some  kind of special privileges,
    however feeding it a value of '1' doesn't seem to have any effect.

Solution

    Blackboard  5  was  recently  released  and  supposedly fixes this
    problem.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH