COMMAND
Courseinfo
SYSTEMS AFFECTED
Blackboard Courseinfo v4.0
PROBLEM
Pedram Amini gound following. Apparently Courseinfo (or at least
the implementation Pedram was playing with) has no user
authentication, meaning that anyone can force feed their own form
values and Perl with merrily modify the database. So for instance
running (all form input is in caps for readability):
/bin/common/user_update_passwd.pl?user_id=VICTIM&firstname=FIRST&lastname=LAST&course_id=SOMECOURSE&password1=NEWPASSWD&password2=NEWPASSWD
will set victims password to whatever you please. Of course the
downside to this is that the next time the user attempts to login
and his/her password doesn't work some suspicion is bound to
arise. Another thing you can do is change your "role". Example:
/bin/common/user_update_admin.pl?user_id=MYID&course_id=SOMECOURSE&role=T&available_ind=Y
will up my "role" to TA. 's' will change you back to a student,
and 'g' will make you an instructor (grader?).
Blackboard advertises that over 1600 educational institutes use
their software. You can find a brief list of schools using
Courseinfo v4.0 at:
http://www.altavista.com/cgi-bin/query?sc=on&hl=on&q=%2B%22courseinfo+v4.0%22+%2B.edu&kl=XX&pg=q
The only prerequisite needed to launch these attacks is a valid
account, which is no big deal at all since just about every site
seen allows you to create one. Even if the create account button
wasn't on the main page guess is that one could add an account
with the following:
/bin/create_user_account.pl?runfirst=0&firstname=FIRST&lastname=LAST&email=ME@ME.COM&user_id=MYID&password1=MYPASS&password2=MYPASS
Pedram thought that maybe the runfirst=0 determines whether or not
the account being created is the first one or not. He imagines
that the first account gets some kind of special privileges,
however feeding it a value of '1' doesn't seem to have any effect.
SOLUTION
Blackboard 5 was recently released and supposedly fixes this
problem.