Blackboard Transact database credentials disclosure


### Overview The Blackboard Transact application contains two vulnerabilities that allow an unauthorized user to access the database credentials. ### Description The Blackboard Transact application (previously know as Blackboard Commerce Suite) comes with a utility called `BbtsConnection_Edit.exe` that is used to edit the encrypted configuration file named `connection.xml`. When editing `connection.xml`, `BbtsConnection_Edit.exe` decrypts all the fields except the **<Password>** field. If a user opens the `connection.xml` file in text editor and copies the data for **<Password>** into any other field such as **<Server>**, then the `BbtsConnection_Edit.exe` program will display the password in the other field, in this example** <Server>**. An additional issue exists in that the Blackboard Transact application uses multiple script and batch (.bat) files for automated backup procedures that contain the database username and password in clear text. --- ### Impact An attacker who has access to `BbtsConnection_Edit.exe` and the `connection.xml` file, or read access to the backup scripts, can obtain the database username and password. --- ### Solution **Upgrade** The vendor has acknowledged these issues and additional information is available in the Vendors Affected section of this document. --- **Restrict access** It may be possible to set file permissions on `BbtsConnection_Edit.exe`, `connection.xml`, and the script and batch (.bat) files used for automated backup procedures to restrict access by administrators only. --- ### Vendor Information 204055 Filter by status: All Affected Not Affected Unknown Filter by content: __ Additional information available __ Sort by: Status Alphabetical Expand all **Javascript is disabled. Click here to view vendors.** ### Blackboard Inc. __ Affected Notified: July 02, 2010 Updated: September 23, 2010 ### Status Affected ### Vendor Statement We have not received a statement from the vendor. ### Vendor Information The vendor recommends users upgrade to** **Blackboard Transact Suite 3.6 Patch 2 (version to address the vulnerability in the `BbtsConnection_Edit.exe` utility. The vendor recommends users upgrade to Blackboard Transact Suite 3.6 Patch 4 (version to address the issue of database username and password in clear text inside of multiple script and batch (.bat) files that are used for automated backups. ### CVSS Metrics Group | Score | Vector ---|---|--- Base | | Temporal | | Environmental | | ### References <http://www.blackboard.com/Commerce-Security/Transact-Platform.aspx> ### Acknowledgements Thanks to John Fisher for reporting this vulnerability. This document was written by Michael Orlando. ### Other Information **CVE IDs:** | [None](<http://web.nvd.nist.gov/vuln/detail/None>) ---|--- **Severity Metric:** | 3.33 **Date Public:** | 2010-08-17 **Date First Published:** | 2010-09-01 **Date Last Updated: ** | 2010-09-23 13:00 UTC **Document Revision: ** | 41