This was posted to BugTraq today. My response? Figures. Seems they must still have the same crew working on sessions.
Blackboard? Yea. It doesn't seem to be vulnerable to that specific one though. And the session keys aren't obvious in the 1-100k space. I'm currently minimally concerned with their session key security, primarily due to the fact we use webserver passthrough authentication. That means you can't even get to the system's native session keys unless BethelAuth has already authenticated you, and those keys are very well seeded, tied to IP if possible, and held as "expired" in the database for quite a while to prevent reuse.
Copyright ©2000-2008 Jeremy Mooney (jeremy-at-qux-dot-net)
you guys still use that?