search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Blackboard Transact database credentials disclosure

Vulnerability Note VU#204055

Original Release Date: 2010-09-01 | Last Revised: 2010-09-23

Overview

The Blackboard Transact application contains two vulnerabilities that allow an unauthorized user to access the database credentials.

Description

The Blackboard Transact application (previously know as Blackboard Commerce Suite) comes with a utility called BbtsConnection_Edit.exe that is used to edit the encrypted configuration file named connection.xml. When editing connection.xml, BbtsConnection_Edit.exe decrypts all the fields except the <Password> field. If a user opens the connection.xml file in text editor and copies the data for <Password> into any other field such as <Server>, then the BbtsConnection_Edit.exe program will display the password in the other field, in this example <Server>.

An additional issue exists in that the Blackboard Transact application uses multiple script and batch (.bat) files for automated backup procedures that contain the database username and password in clear text.

Impact

An attacker who has access to BbtsConnection_Edit.exe and the connection.xml file, or read access to the backup scripts, can obtain the database username and password.

Solution

Upgrade
The vendor has acknowledged these issues and additional information is available in the Vendors Affected section of this document.


Restrict access

It may be possible to set file permissions on BbtsConnection_Edit.exe, connection.xml, and the script and batch (.bat) files used for automated backup procedures to restrict access by administrators only.

Vendor Information

204055
Expand all

Blackboard Inc.

Notified:  July 02, 2010 Updated:  September 23, 2010

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor recommends users upgrade to Blackboard Transact Suite 3.6 Patch 2 (version 3.6.0.2) to address the vulnerability in the BbtsConnection_Edit.exe utility.

The vendor recommends users upgrade to Blackboard Transact Suite 3.6 Patch 4 (version 3.6.0.4) to address the issue of database username and password in clear text inside of multiple script and batch (.bat) files that are used for automated backups.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to John Fisher for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: None
Severity Metric: 3.33
Date Public: 2010-08-17
Date First Published: 2010-09-01
Date Last Updated: 2010-09-23 13:00 UTC
Document Revision: 40

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.