Blackboard 4 Authentication Bypass Vulnerability

Apparently Blackboard Courseinfo has no user authentication, meaning that anyone can force feed their own form values and Perl with merrily modify the database. So for instance running: (all form input is in caps for readability)

    /bin/common/    \
    &firstname=FIRST&lastname=LAST&course_id=SOMECOURSE \

will set victims password to whatever you please. Of course the downside to this is that the next time the user attempts to login and his/her password doesn't work some suspicion is bound to arise. Another thing you can do is change your "role". Example:

    /bin/common/ \

will up my "role" to TA. 's' will change you back to a student, and 'g' will make you an instructor (grader?) (I guess Blackboard decided to get sneaky here and not to use the obvious 'i' for instructor).

Blackboard advertises that over 1600 educational institutes use their software, I haven't verified whether or not these methods work on other schools.

You can find a brief list of schools using Courseinfo v4.0 via the following google search:

    +"courseinfo v4.0"

The only prerequisite needed to launch these attacks is a valid account, which is no big deal at all since just about every site I've seen allows you to create one. Even if the create account button wasn't on the main page my guess is that one could add an account with the following:

    /bin/ \
    [email protected]&user_id=MYID            \

I thought that maybe the runfirst=0 determines whether or not the account being created is the first one or not. I imagine that the first account gets some kind of special privileges, however feeding it a value of '1' doesn't seem to have any effect.

I contacted Blackboard on February 15 of this year and all I've heard is a thank you over the phone. I've tried writing again, and was ignored. Seeing the other post on Courseinfo I figured this would be an appropriate time to mention mine.