lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <43E0F199.7000206@vsecurity.com>
Date: Wed, 01 Feb 2006 12:36:25 -0500
From: George <ggal-security@...curity.com>
To: jdo24@...nell.edu
Cc: bugtraq@...urityfocus.com
Subject: Re: Blackboard Authentication Error


Sounds like they have a session fixation issue on their hands as well 
since they are reusing the session id upon reauthentication. But based 
on your description it doesn't sound like they completely abandon all 
data associated with the session upon the reauth.

-george

jdo24@...nell.edu wrote:

>Hello,
>
>Here at my university we use Blackboard as the chosen tool for having online class websites, grading, chatrooms, announcements, quizzing, etc., in a convenient fashion.
>
>Blackboard works alongside our Kerberos authentication to be sure that the person who is accessing the information is the correct one.
>
>Tonight I discovered that there is a way that Blackboard fails in doing this.  When Blackboard has been idle for so long (ten minutes or so, I think), it will de-authenticate you from accessing resources.  So, let's say I'm logged in as mrm5, I use it, then I walk away from the computer.  If someone comes up and tries to gain access to the still-up Blackboard site, after they click a link they will be prompted with a password entry screen.
>
>This presumably means that in order to access mrm5's stuff, you need to enter mrm5's information.  But, instead, if you enter another user's information, such as ppq2, and enter the correct password for ppq2, you will now be logged in under mrm5's account instead of ppq2's, and able to do everything that mrm5 could have if they were logged in, including changing personal information, "enrolling" in class, making posts on boards, taking quizzes, etc.
>
>I have no idea and no way of checking to see if other universities are susceptible to the same problem, but either way this is something that 
>needs to be fixed.
>
>-jehnx/Josh
>  
>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ