COMMAND

	Blackboard Password Retrieval

SYSTEMS AFFECTED

	Blackboard Learning System 5.x, level 1 and 2 are affected
	
	UNAFFECTED: Clients who are using our Enterprise product  capability  of
	completely externalizing external authentication, and  have  implemented
	Blackboard  Learning  System,  Level  3  using  LDAP,  Kerberos,  Active
	Directory, or Active Directory are unaffected.

PROBLEM

	Pedram Amini [pedram@redhive.com] found :
	
	--snip--
	
	Improper  filtering  in  the  address  book  search  feature  allows  an
	attacker to inject SQL statements into a query  that  is  executed  with
	read access to the users table.  The  address  book  search  feature  is
	implemented  by  /bin/common/search.pl  and  the   improperly   filtered
	argument is "by". It is a trivial matter for an  attacker  to  construct
	queries that will return a listing of all users with a  given  password.
	It is also possible for an attacker to execute a  scripted  attack  that
	can extract the MD5 hashed password of a specific user.
	
	A  valid  account  is  not  required  to  exploit  the   above-described
	vulnerabilities. Most (all?) organizations have a  "preview"  button  on
	the login screen allowing anyone to login to  a  restricted  version  of
	the system. Preview users are not given  an  interface  to  the  address
	book. However, despite the fact that the address book is  "hidden"  from
	preview users, it is not actually restricted. The  scripts  required  in
	exploitation are indeed accessible to the preview user  thereby  opening
	the window of exploitation to any remote user.
	
	A more detailed  and  technical  explanation  of  the  vulnerability  is
	available at :
	
	 http://pedram.redhive.com/advisories/blackboard5.txt
	
	

SOLUTION

	A security hotfix is now available through Blackboard that will  address
	recently identified issues related to  the  Blackboard  User  Directory.
	Although there have  been  no  reported  security  breaches,  Blackboard
	would like  to  share  this  important  information  with  clients.  For
	locally installed clients running on release 5.5.1 or  later  (including
	Blackboard Learning System - ML), the recommended solution is to  obtain
	the hotfix by calling Blackboard Product Support  at  1-888-788-5264  or
	by submitting a service request ticket through  the  Blackboard  Product
	Support Web site. For locally  installed  clients  running  on  releases
	earlier than 5.5.1, the recommended solution is to upgrade to 5.5.1  and
	then  apply  the  hotfix.  To   upgrade   to   release   5.5.1,   system
	administrators can go to http://behind.blackboard.com and click  on  the
	"Hotfixes and Updates" icon to obtain the download. Once  release  5.5.1
	has been installed, you may obtain  the  hotfix  by  calling  Blackboard
	Product Support at  1-888-788-5264  (+1-202-715-6019  for  international
	clients);  or  by  submitting  a  service  request  ticket  through  the
	Blackboard Product Support Web site.
	
	For all  Learning  System  and  Learning  and  Community  Portal  System
	(formerly Blackboard 5 Level Three) clients running on releases  earlier
	than 5.5.1, please contact your Account Manager, at  202-463-4860  prior
	to upgrading.
	
	Clients running on Blackboard CourseInfo need not take  action  at  this
	time, as the potential  security  vulnerability  does  not  affect  this
	platform.
	
	Clients running on the Blackboard Transaction System are unaffected.