You see, [tag]Blackboard[/tag] is so flawed that some professors who teach [tag]security[/tag] classes use it as an example of easily hackable system. Case in point, our very first assignment was to bypass Blackboard visibility features and access the “instructor only” document posted on the assignment page. I think it took me under a minute to get to it once the problem was explained. Most of the people who brought laptops to class that day were able to get it before the end of the lecture.
You see, just like the [tag]WTF[/tag] system described in the linked article, Blackboard does not have any access restrictions on uploaded files. It sticks them into obscure directories with complex names, but once you figure out the pattern you can access them without any trouble. In fact you can easily harvest the entire contents of the digital dropbox using a relatively simple perl script.
You can also easily to wipe out the entire [tag]digital dropbox[/tag] clean by deleting all the submitted files. All you need to do is to play around with the URL a little bit. If you create a perl script not much unlike the one above you can just let it running and go for a coffee while the homeworks of thousands of students get trashed. I’m not going to post that exploit here, because I don’t want to feel responsible when someone pulls it off. As far as I know this [tag]exploit[/tag] was never published. Blackboard didn’t seem to care when we tried to report all these issues to them. Kinda like the guy in the article.
The saddest part is that the system described in Daily WTF is some ugly, hack-job conceived and maintained by an incompetent sysadmin. Blackboard on the other hand is an enterprise grade, mature software suite deployed at hundreds of universities throughout the county…