Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11257
HistoryFeb 01, 2006 - 12:00 a.m.

Blackboard Authentication Error

2006-02-0100:00:00
vulners.com
4
JSON

Hello,

Here at my university we use Blackboard as the chosen tool for having online class websites, grading,
chatrooms, announcements, quizzing, etc., in a convenient fashion.

Blackboard works alongside our Kerberos authentication to be sure that the person who is accessing the
information is the correct one.

Tonight I discovered that there is a way that Blackboard fails in doing this. When Blackboard has been
idle for so long (ten minutes or so, I think), it will de-authenticate you from accessing resources. So,
let's say I'm logged in as mrm5, I use it, then I walk away from the computer. If someone comes up and
tries to gain access to the still-up Blackboard site, after they click a link they will be prompted with a
password entry screen.

This presumably means that in order to access mrm5's stuff, you need to enter mrm5's information. But,
instead, if you enter another user's information, such as ppq2, and enter the correct password for ppq2, you
will now be logged in under mrm5's account instead of ppq2's, and able to do everything that mrm5 could have
if they were logged in, including changing personal information, "enrolling" in class, making posts on
boards, taking quizzes, etc.

I have no idea and no way of checking to see if other universities are susceptible to the same problem, but
either way this is something that
needs to be fixed.

-jehnx/Josh

JSON