| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 01 Feb 2006 16:25:32 -0600 (CST) From: Johan A.van Zanten <johan@...anglers.com> To: jdo24@...nell.edu Cc: bugtraq@...urityfocus.com Subject: Re: Blackboard Authentication Error jdo24@...nell.edu wrote: > Hello, > > Here at my university we use Blackboard as the chosen tool for having > online class websites, grading, chatrooms, announcements, quizzing, > etc., in a convenient fashion. > Blackboard works alongside our Kerberos authentication to be sure that > the person who is accessing the information is the correct one. What version of Blackboard are you talking about? Do you realize that the Kerberos Authentication you're describing is non standard (to Bb), and the problem you are warning about could be due to something unique to your site? For example, the issue really could be that Kerberos credentials are still stored on the machine running the web browser you were using, and they are being reused by the browser. > Tonight I discovered that there is a way that Blackboard fails in doing > this. When Blackboard has been idle for so long (ten minutes or so, I > think), it will de-authenticate you from accessing resources. So, let's > say I'm logged in as mrm5, I use it, then I walk away from the computer. For longer than 10 minutes? Did the session timeout in Bb? > If someone comes up and tries to gain access to the still-up Blackboard > site, after they click a link they will be prompted with a password > entry screen. Session timeouts are a site-tunable parameter. If sysadmins of your installation want to make this even less than 10 minutes, they probably can. > This presumably means that in order to access mrm5's stuff, you need to > enter mrm5's information. But, instead, if you enter another user's > information, such as ppq2, and enter the correct password for ppq2, you > will now be logged in under mrm5's account instead of ppq2's, and able > to do everything that mrm5 could have if they were logged in, including > changing personal information, "enrolling" in class, making posts on > boards, taking quizzes, etc. What a user can do (enroll, etc) is also a site-specific parameter. Not all installations of Bb allow the users to do all of the tasks you describe here. > I have no idea and no way of checking to see if other universities are > susceptible to the same problem, but either way this is something that > needs to be fixed. I believe there was a bug and fix reported (at least 6 months ago, maybe as much as a year) for some instances where sessions were not being completely cleared out, and one user could "inherit" the previous session of a different user. Probably your best bet for getting this fixed is to report it to your local sysadmins. It's a distinct possibility that all they need to do i install a patch or service pack. Presumably, being a concerned and responsible person, you reported this to Blackboard, Inc.'s support months ago, before mailing it to bugtraq, right? In case you aren't, here's some contact information so you can report the bug to the vendor, now that you've already reported it to the world: Blackboard customer support: (888) 788-5264 However, their support system is geared towards known contacts at customer sites calling in, so you are probably much better off reporting this to Cornell's help desk and giving the Bb sysadmins there the info they need to determine if the issue is a local problem or something Cornell can take up with Bb. -johan
Powered by blists - more mailing lists