SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information

Report a Vulnerability

 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#204055

Blackboard Transact database credentials disclosure

Overview

The Blackboard Transact application contains two vulnerabilities that allow an unauthorized user to access the database credentials.

I. Description

The Blackboard Transact application (previously know as Blackboard Commerce Suite) comes with a utility called BbtsConnection_Edit.exe that is used to edit the encrypted configuration file named connection.xml. When editing connection.xml, BbtsConnection_Edit.exe decrypts all the fields except the <Password> field. If a user opens the connection.xml file in text editor and copies the data for <Password> into any other field such as <Server>, then the BbtsConnection_Edit.exe program will display the password in the other field, in this example <Server>.

An additional issue exists in that the Blackboard Transact application uses multiple script and batch (.bat) files for automated backup procedures that contain the database username and password in clear text.

II. Impact

An attacker who has access to BbtsConnection_Edit.exe and the connection.xml file, or read access to the backup scripts, can obtain the database username and password.

III. Solution

Upgrade

The vendor has acknowledged these issues and additional information is available in the Vendors Affected section of this document.

Restrict access

It may be possible to set file permissions on BbtsConnection_Edit.exe, connection.xml, and the script and batch (.bat) files used for automated backup procedures to restrict access by administrators only.

Vendor Information

VendorStatusDate NotifiedDate Updated
Blackboard Inc.Affected2010-07-022010-09-23

References

http://www.blackboard.com/Commerce-Security/Transact-Platform.aspx

Credit

Thanks to John Fisher for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

Date Public:2010-08-17
Date First Published:2010-09-01
Date Last Updated:2010-09-23
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Severity Metric:3.33
Document Revision:40

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Produced 2010 by US-CERT, a government organization
Disclaimers and copyright information
Get a PDF Reader