Blackboard Academic Suite Local Session Deauthentication

2006-02-01T18:14:01
ID OSVDB:28023
Type osvdb
Reporter jehnx/Josh(jdo24@cornell.edu)
Modified 2006-02-01T18:14:01

Description

Vulnerability Description

Blackboard Academic Suite has been reported to contain a flaw that may allow a remote attacker to gain access to arbitrary user accounts. The issue is reportedly due to the program not properly clearing session information when de-authenticating a user who is idle, allowing a subsequent user to log in as the previous user without re-authenticating. The vendor has disputed this issue saying "This is a customer specific issue related to their Kerberos authentication single sign-on application and not a vulnerability in the Blackboard product."

Solution Description

The vulnerability reported is incorrect. No solution required.

Short Description

Blackboard Academic Suite has been reported to contain a flaw that may allow a remote attacker to gain access to arbitrary user accounts. The issue is reportedly due to the program not properly clearing session information when de-authenticating a user who is idle, allowing a subsequent user to log in as the previous user without re-authenticating. The vendor has disputed this issue saying "This is a customer specific issue related to their Kerberos authentication single sign-on application and not a vulnerability in the Blackboard product."

References:

Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-02/0018.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-02/0015.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-01/0520.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-02/0017.html CVE-2006-0511 Bugtraq ID: 16438