Wednesday, October 30, 2002

more DLS vulnerabilities

You may remember that I found a security issue in my school's student information system about two months ago. Since then, I've discovered several more vulnerabilities. Now that they've all been patched, I don't think Mr. Randall will mind me posting about them. So here they are:

Changing another user's account settings

The web form for entering profile information had a hidden field containing the internal ID of the user. By modifying this value, an attacker could overwrite another user's account settings. This was a serious issue as it could allow the attacker to compromise any account - including those with administrative privileges. I'm really glad I discovered this problem before someone with nefarious intentions did.

Forced file uploads and spoofed IP addresses

The DLS is configured to accept only files with certain extensions. This is important because some files could contain viruses or even allow an attacker to execute arbitrary code on the server. However, because the file extensions were only validated on the client side, the user could bypass the check by invoking the JavaScript function that submits the form. From what I've read, file inclusion vulnerabilities are very common in web applications.

The server also records the user's IP address when a file is uploaded. Like in the above case, the IP was stored in a hidden field in the upload form. This allowed me to spoof my IP address. Even invalid values were accepted.

Other DLS features were similarly affected. For example, I was able to rename myself to "l337 h4x0r" even after the name change feature was disabled. ^_^

Viewing another user's recycle bin

Only the files in a user's public folder were intended to be accessible to other users. However, one could view the contents of another user's recycle bin via URL manipulation. This was a relatively minor issue but could have posed privacy concerns.

The majority of these issues seem to be the result of not validating parameters. Chances are the DLS still has undiscovered vulnerabilities. But because I don't have access to the source code, I could only find so many bugs. An independent software audit would likely uncover much more. After all, I'm only a high school student and not a web developer. :P

In other news...

There was a Halloween dance on the 25th. This was something LAHS had never done before. Though I didn't feel like going because it was a little expensive, I'm nevertheless looking forward to the dance in December. :-)

Saturday, October 19, 2002

new graphing calculator

I got a TI-89 today as a late birthday present. This means I can finally retire my Casio CFX-9850G after all those years. But the most important thing is that my math and physics classes are about to get a lot easier. :-)

At any rate, the TI-89 is really awesome. It has so many features and functions that I don't even know where to begin. This thing can also run a large number of applications. Speaking of which, the TI-BASIC programming language is much more versatile than the one on the Casio 9850 series. In a sense, the TI-89 is like a miniature computer.

Now I just have to hope my new toy doesn't get stolen. From what I've heard, fancy calculators are considered valuable targets. One thing for sure is that I'm going to have a hard time concentrating in class for the next few weeks. Haha.

Currently playing: Phoenix

Friday, October 11, 2002

I got kicked out of Spanish class :-(

Today sucked as Mrs. Schiffman kicked me out of Spanish III. It was my parents who told me as she didn't say anything about it in class. I can't say I didn't see this coming because I had always sensed that Mrs. Schiffman didn't like me very much. However, this still ruined the mood, especially considering that I had just celebrated my 17th birthday the day before.

On the other hand, Mr. Miller has kindly agreed to take me into his web design class. The good news is it shouldn't be too hard for me to catch up because I'm already quite familiar with HTML and JavaScript. At least I hope that's the case. *fingers crossed*

The downside is that I'll have to find another way to satisfy my foreign language requirement. Learning a new language from scratch isn't exactly a walk in the park...

Thursday, October 10, 2002

happy 17th birthday to me

I just turned 17 years old. It's hard to believe I'll be legal next year. In any case, happy birthday to me and everyone else born on October 10. :-)

To celebrate the occasion, my parents took me to a Mexican restaurant in Mountain View called Fiesta del Mar for dinner. This was our first time eating here. The food was really good, especially the seafood enchiladas. Yum!

We also took my maternal grandparents to lunch at a Chinese restaurant this past weekend. I'd normally have picked something else - mainly because we usually eat Chinese food at home - but Mom wanted something the grandparents would also like. Family comes first after all.

Currently listening to: "FotografĂ­a" by Juanes and Nelly Furtado