CourseInfo Exposes Admin Psw

 
BlackBoard CourseInfo Exposes Admin Psw
Reported July 10, 2000 by James Megna

DESCRIPTION

During the installation process, Blackboard CourseInfo 4.0 requires that the user create an administrative account used to access and configure the CourseInfo software. The user name and password are stored in a registry key that is left unprotected from access by unauthorized users. Furthermore, the password is stored in clear text making abuse all the more likely. The username and password are stored in the following key:

HKEY_LOCAL_MACHINE\SOFTWARE\Blackboard, Inc.\CourseInfo40

VENDOR RESPONSE

Blackboard Inc. is aware of the problem and has recommended that users protect against remote registry access by asserting proper permissions on the operating systems "winreg" registry key.

Take note that this measure does not protect the registry key from access by a locally logged on user, so the risk remains if the system is shared by other users.

At the time of this writing, no response was available from Blackboard Inc. with regard to whether a patch or future product version would remedy the clear text password storage and loose registry key permissions.

CREDITS
Discovered and reported by James Megna