Blackboard 5.x Password Retrieval Vulnerability


Through the exploitation of a SQL injection vulnerability it is possible for an unauthenticated user to query the Blackboard user directory and:

  • Enumerate users with a given password.
  • Extract the MD5 password of any given user.

Blackboard Learning System 5.x, level 1 and 2 are affected.

Using the address book search feature to search for the keyword 'meow' will generate the following request:


The 'by=lastname' parameter is propagated with one of two possible values from an HTML form, either last name or e-mail address. Generating a hand made request with the 'by' parameter set as 'ruff' renders the following SQL error:

    SELECT U.pk1, U.sos_id_pk2, U.firstname,
           U.middlename, U.lastname, U.title,
 , U.user_id, U.job_title,
           U.department,, U.street_1,
           U.street_2,, U.state, U.zip_code,
 , U.b_phone_1, U.b_phone_2,
           U.h_phone_1, U.h_phone_2, U.m_phone,
           U.b_fax, U.h_fax, U.webpage, U.email_ind,
           U.address_ind, U.work_ind, U.phone_ind
    FROM users U
    WHERE U.row_status = 0
        AND U.available_ind = 'Y'
        AND U.public_ind    = 'Y'
        AND U.system_role  != 'z'
        AND U.system_role  != 'u'
        AND upper(U.ruff) LIKE '%MEOW%'
        ORDER BY U.lastname, U.firstname

The above error was generated because there is no field named 'ruff' in the users table. Further experimentation reveals that that the 'keywordraw' parameter (MEOW here) is non-alphanumeric stripped and upper cased. The 'by' parameter on the other hand is not filtered allowing an attacker to control the SQL query from 'upper(U.'. By guessing the name of the field that stores user passwords (passwd), an attacker is able to enumerate all users with specific characters in their password. With some experimentation it becomes quickly apparent that passwords are stored as MD5 hashes (very common). It is now a trivial matter for an attacker to quickly generate a list of valid username and password combinations by searching for users with easily guessable passwords such as MD5("blackboard"), MD5("password"), or MD5("organization name").

It is also possible for an attacker to extract a specific users password. This is accomplished through the following steps:

  • Search for all accounts that have the letter 'a' in their hashed password.
  • If the target user does not appear in this list then choose another letter, otherwise attempt to narrow down the list by searching for all accounts with the sequence 'ab' in their hashed password.
  • If the target use does not appear in this list then choose another sequence such as 'ac' or 'ad'.
  • Continue this process until the entire 32-character hash is extracted.

This process is labor and time intensive when done by hand; however, it is easily scripted. Attached is a sample password extractor script that requires only some manual labor to start. The following is a brief synopsis of its usage:

  • Determine the current session id from the current session-based cookie.
  • Follow the above outlined steps to narrow the list of accounts containing the target user to a single page.
  • Modify the attached Perl script to contain the initial sequence (ex: 'abcd') from the previous step and the session id.
  • Uncomment the "work forward" lines in the script. Run.
  • The script should automatically determine the forward half of the target users hashed password. So 'abcd' may become 'abcd12345678...'.
  • Next, comment out the "work forward" lines and uncomment the "work backwards" lines in the script. Run.
  • The script should automatically determine the backward half of the target users hashed password. So 'abcd' may become '12345678...abcd'.
  • The combination of the two halves is the entire extracted hashed password.
  • At this point a dictionary or brute force attack can utilized to determine the target users un-hashed password.

A valid account is not required to exploit the above-described vulnerabilities. Most (all?) organizations have a "preview" button on the login screen allowing anyone to login to a restricted version of the system. Preview users are not given an interface to the address book. However, despite the fact that the address book is "hidden" from preview users, it is not actually restricted. The scripts required in exploitation are indeed accessible to the preview user thereby opening the window of exploitation to any remote user.

On a final note if an attacker could guess the codes that Blackboard uses for system roles then it becomes possible to target attacks on important users such as instructors and teaching assistants with the following query:

                         &by=passwd) LIKE \
    '%%' AND U.system_role = 't' AND upper(U.passwd

Modifying the U.system_role = 't' is the key here.


  • Usage of unfiltered user provided data within SQL queries is a common web application programming error.
  • Blocked and/or removed functionality should be enforced on the back end as well as the front end.
  • User authentication information should not be stored in the same table as biographical information. Cross table SQL injection tricks are more difficult to find and the authentication table should only be accessed on authentication needs.
  • Suppress script failure debug outputs in production environments.

The Blackboard team was concerned, quick to respond, open to suggestions, professional, and even took the time to teleconference. Over all I was very impressed with their handling of the situation.

08/07/2002 - Vulnerability discovered.
08/08/2002 - My University contacted.
08/11/2002 - First contact with David Yaskin
             at Blackboard.
08/30/2002 - Patch test with my University.
09/01/2002 - Fix made available and announcement
             made to Blackboard community.
01/21/2003 - Public release.

A security hotfix is now available through Blackboard that will address recently identified issues related to the Blackboard User Directory. Although there have been no reported security breaches, Blackboard would like to share this important information with clients. For locally installed clients running on release 5.5.1 or later (including Blackboard Learning System - ML), the recommended solution is to obtain the hotfix by calling Blackboard Product Support at 1-888-788-5264 or by submitting a service request ticket through the Blackboard Product Support Web site. For locally installed clients running on releases earlier than 5.5.1, the recommended solution is to upgrade to 5.5.1 and then apply the hotfix. To upgrade to release 5.5.1, system administrators can go to and click on the "Hotfixes and Updates" icon to obtain the download. Once release 5.5.1 has been installed, you may obtain the hotfix by calling Blackboard Product Support at 1-888-788-5264 (+1-202-715-6019 for international clients); or by submitting a service request ticket through the Blackboard Product Support Web site.

For all Learning System and Learning and Community Portal System (formerly Blackboard 5 Level Three) clients running on releases earlier than 5.5.1, please contact your Account Manager, at 202-463-4860 prior to upgrading.

UNAFFECTED: Clients who are using our Enterprise product capability of completely externalizing external authentication, and have implemented Blackboard Learning System, Level 3 using LDAP, Kerberos, Active Directory, or Active Directory are unaffected.

Clients running on Blackboard CourseInfo need not take action at this time, as the potential security vulnerability does not affect this platform.

Clients running on the Blackboard Transaction System are unaffected.

Blackboard offers a complete suite of enterprise software products and services that power a total "e-Education Infrastructure" for schools, colleges, universities, and other education providers.

Blackboard offers a suite of products. This article refers specifically to the Blackboard Learning System 5.x, Level 1 and 2. If you are using the Enterprise product capability of completely externalizing authentication, you are not affected.

Thanks go to Ralph Schindler for aiding me in this research, and David Yaskin at Blackboard for his time and commitment.