Vulnerability Note VU#204055
Blackboard Transact database credentials disclosure
The Blackboard Transact application contains two vulnerabilities that allow an unauthorized user to access the database credentials.
The Blackboard Transact application (previously know as Blackboard Commerce Suite) comes with a utility called BbtsConnection_Edit.exe that is used to edit the encrypted configuration file named connection.xml. When editing connection.xml, BbtsConnection_Edit.exe decrypts all the fields except the <Password> field. If a user opens the connection.xml file in text editor and copies the data for <Password> into any other field such as <Server>, then the BbtsConnection_Edit.exe program will display the password in the other field, in this example <Server>.
An additional issue exists in that the Blackboard Transact application uses multiple script and batch (.bat) files for automated backup procedures that contain the database username and password in clear text.
An attacker who has access to BbtsConnection_Edit.exe and the connection.xml file, or read access to the backup scripts, can obtain the database username and password.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Blackboard Inc.||Affected||02 Jul 2010||23 Sep 2010|
CVSS Metrics (Learn More)
Thanks to John Fisher for reporting this vulnerability.
This document was written by Michael Orlando.
- CVE IDs: Unknown
- Date Public: 17 Aug 2010
- Date First Published: 01 Sep 2010
- Date Last Updated: 23 Sep 2010
- Severity Metric: 3.33
- Document Revision: 40
If you have feedback, comments, or additional information about this vulnerability, please send us email.