-- Overview
Through the exploitation of a SQL injection vulnerability it is possible for
an unauthenticated user to query the Blackboard user directory and:
- Enumerate users with a given password.
- Extract the MD5 password of any given user.
Blackboard Learning System 5.x, level 1 and 2 are affected.
-- Description
Improper filtering in the address book search feature allows an attacker to
inject SQL statements into a query that is executed with read access to the
users table. The address book search feature is implemented by
/bin/common/search.pl and the improperly filtered argument is "by". It is a
trivial matter for an attacker to construct queries that will return a
listing of all users with a given password. It is also possible for an
attacker to execute a scripted attack that can extract the MD5 hashed
password of a specific user.
A valid account is not required to exploit the above-described
vulnerabilities. Most (all?) organizations have a "preview" button on the
login screen allowing anyone to login to a restricted version of the system.
Preview users are not given an interface to the address book. However,
despite the fact that the address book is "hidden" from preview users, it is
not actually restricted. The scripts required in exploitation are indeed
accessible to the preview user thereby opening the window of exploitation to
any remote user.
A more detailed and technical explanation of the vulnerability is available
at http://pedram.redhive.com/advisories/blackboard5.txt
-- Lessons to Learn
- Usage of unfiltered user provided data within SQL queries is a
common web application programming error.
- Blocked and/or removed functionality should be enforced on the back
end as well as the front end.
- User authentication information should not be stored in the same
table as biographical information. Cross table SQL injection tricks
are more difficult to find and the authentication table should only
be accessed on authentication needs.
- Suppress script failure debug outputs in production environments.
-- Vendor Notification
The Blackboard team was concerned, quick to respond, open to suggestions,
professional, and even took the time to teleconference. Over all I was very
impressed with their handling of the situation.
08/07/2002 - Vulnerability discovered.
08/08/2002 - My University contacted.
08/11/2002 - First contact with David Yaskin at Blackboard.
08/30/2002 - Patch test with my University.
09/01/2002 - Fix made available and announcement made to Blackboard
community.
01/21/2003 - Public release.
-- Vendor Response
A security hotfix is now available through Blackboard that will address
recently identified issues related to the Blackboard User Directory.
Although there have been no reported security breaches, Blackboard would
like to share this important information with clients. For locally installed
clients running on release 5.5.1 or later (including Blackboard Learning
System - ML), the recommended solution is to obtain the hotfix by calling
Blackboard Product Support at 1-888-788-5264 or by submitting a service
request ticket through the Blackboard Product Support Web site. For locally
installed clients running on releases earlier than 5.5.1, the recommended
solution is to upgrade to 5.5.1 and then apply the hotfix. To upgrade to
release 5.5.1, system administrators can go to http://behind.blackboard.com
and click on the "Hotfixes and Updates" icon to obtain the download. Once
release 5.5.1 has been installed, you may obtain the hotfix by calling
Blackboard Product Support at 1-888-788-5264 (+1-202-715-6019 for
international clients); or by submitting a service request ticket through
the Blackboard Product Support Web site.
For all Learning System and Learning and Community Portal System (formerly
Blackboard 5 Level Three) clients running on releases earlier than 5.5.1,
please contact your Account Manager, at 202-463-4860 prior to upgrading.
UNAFFECTED: Clients who are using our Enterprise product capability of
completely externalizing external authentication, and have implemented
Blackboard Learning System, Level 3 using LDAP, Kerberos, Active Directory,
or Active Directory are unaffected.
Clients running on Blackboard CourseInfo need not take action at this time,
as the potential security vulnerability does not affect this platform.
Clients running on the Blackboard Transaction System are unaffected.
-- What is Blackboard?
Blackboard offers a complete suite of enterprise software products and
services that power a total "e-Education Infrastructure" for schools,
colleges, universities, and other education providers.
Blackboard offers a suite of products. This article refers specifically to
the Blackboard Learning System 5.x, Level 1 and 2. If you are using the
Enterprise product capability of completely externalizing authentication,
you are not affected.
-- Thanks
Thanks go to Ralph Schindler <ralphat_private> for aiding me in this
research, and David Yaskin at Blackboard for his time and commitment.
-pedram
http://pedram.redhive.com
This archive was generated by hypermail 2b30 : Wed Jan 22 2003 - 13:54:32 PST