-- Overview Through the exploitation of a SQL injection vulnerability it is possible for an unauthenticated user to query the Blackboard user directory and: - Enumerate users with a given password. - Extract the MD5 password of any given user. Blackboard Learning System 5.x, level 1 and 2 are affected. -- Description Improper filtering in the address book search feature allows an attacker to inject SQL statements into a query that is executed with read access to the users table. The address book search feature is implemented by /bin/common/search.pl and the improperly filtered argument is "by". It is a trivial matter for an attacker to construct queries that will return a listing of all users with a given password. It is also possible for an attacker to execute a scripted attack that can extract the MD5 hashed password of a specific user. A valid account is not required to exploit the above-described vulnerabilities. Most (all?) organizations have a "preview" button on the login screen allowing anyone to login to a restricted version of the system. Preview users are not given an interface to the address book. However, despite the fact that the address book is "hidden" from preview users, it is not actually restricted. The scripts required in exploitation are indeed accessible to the preview user thereby opening the window of exploitation to any remote user. A more detailed and technical explanation of the vulnerability is available at http://pedram.redhive.com/advisories/blackboard5.txt -- Lessons to Learn - Usage of unfiltered user provided data within SQL queries is a common web application programming error. - Blocked and/or removed functionality should be enforced on the back end as well as the front end. - User authentication information should not be stored in the same table as biographical information. Cross table SQL injection tricks are more difficult to find and the authentication table should only be accessed on authentication needs. - Suppress script failure debug outputs in production environments. -- Vendor Notification The Blackboard team was concerned, quick to respond, open to suggestions, professional, and even took the time to teleconference. Over all I was very impressed with their handling of the situation. 08/07/2002 - Vulnerability discovered. 08/08/2002 - My University contacted. 08/11/2002 - First contact with David Yaskin at Blackboard. 08/30/2002 - Patch test with my University. 09/01/2002 - Fix made available and announcement made to Blackboard community. 01/21/2003 - Public release. -- Vendor Response A security hotfix is now available through Blackboard that will address recently identified issues related to the Blackboard User Directory. Although there have been no reported security breaches, Blackboard would like to share this important information with clients. For locally installed clients running on release 5.5.1 or later (including Blackboard Learning System - ML), the recommended solution is to obtain the hotfix by calling Blackboard Product Support at 1-888-788-5264 or by submitting a service request ticket through the Blackboard Product Support Web site. For locally installed clients running on releases earlier than 5.5.1, the recommended solution is to upgrade to 5.5.1 and then apply the hotfix. To upgrade to release 5.5.1, system administrators can go to http://behind.blackboard.com and click on the "Hotfixes and Updates" icon to obtain the download. Once release 5.5.1 has been installed, you may obtain the hotfix by calling Blackboard Product Support at 1-888-788-5264 (+1-202-715-6019 for international clients); or by submitting a service request ticket through the Blackboard Product Support Web site. For all Learning System and Learning and Community Portal System (formerly Blackboard 5 Level Three) clients running on releases earlier than 5.5.1, please contact your Account Manager, at 202-463-4860 prior to upgrading. UNAFFECTED: Clients who are using our Enterprise product capability of completely externalizing external authentication, and have implemented Blackboard Learning System, Level 3 using LDAP, Kerberos, Active Directory, or Active Directory are unaffected. Clients running on Blackboard CourseInfo need not take action at this time, as the potential security vulnerability does not affect this platform. Clients running on the Blackboard Transaction System are unaffected. -- What is Blackboard? Blackboard offers a complete suite of enterprise software products and services that power a total "e-Education Infrastructure" for schools, colleges, universities, and other education providers. Blackboard offers a suite of products. This article refers specifically to the Blackboard Learning System 5.x, Level 1 and 2. If you are using the Enterprise product capability of completely externalizing authentication, you are not affected. -- Thanks Thanks go to Ralph Schindler <ralph@redhive.com> for aiding me in this research, and David Yaskin at Blackboard for his time and commitment. -pedram http://pedram.redhive.com