Executive Summary
Summary | |
---|---|
Title | Blackboard Transact database credentials disclosure |
Informations | |||
---|---|---|---|
Name | VU#204055 | First vendor Publication | 2010-09-01 |
Vendor | VU-CERT | Last vendor Modification | 2010-09-23 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:L/Au:N/C:P/I:P/A:P) | |||
---|---|---|---|
Cvss Base Score | 4.6 | Attack Range | Local |
Cvss Impact Score | 6.4 | Attack Complexity | Low |
Cvss Expoit Score | 3.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#204055Blackboard Transact database credentials disclosureOverviewThe Blackboard Transact application contains two vulnerabilities that allow an unauthorized user to access the database credentials.I. DescriptionThe Blackboard Transact application (previously know as Blackboard Commerce Suite) comes with a utility called BbtsConnection_Edit.exe that is used to edit the encrypted configuration file named connection.xml. When editing connection.xml, BbtsConnection_Edit.exe decrypts all the fields except the <Password> field. If a user opens the connection.xml file in text editor and copies the data for <Password> into any other field such as <Server>, then the BbtsConnection_Edit.exe program will display the password in the other field, in this example<Server>.An additional issue exists in that the Blackboard Transact application uses multiple script and batch (.bat) files for automated backup procedures that contain the database username and password in clear text. The vendor has acknowledged these issues and additional information is available in the Vendors Affected section of this document.
Referenceshttp://www.blackboard.com/Commerce-Security/Transact-Platform.aspx Thanks to John Fisher for reporting this vulnerability. This document was written by Michael Orlando.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/204055 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-200 | Information Exposure |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
67774 | Blackboard Transact BbtsConnection_Edit.exe connection.xml Password Local Dis... |
67772 | Blackboard Transact Automated Backup Cleartext Database Credentials Local Dis... |