Wednesday, October 30, 2002

more DLS vulnerabilities

You may remember that I found a security issue in my school's student information system a while ago. It turns out the DLS had additional vulnerabilities. I can talk about them now that they're fixed. Hopefully I don't get in trouble for this. :P

Changing another user's settings

On the profile settings page, the user ID is used to specify the target profile. Because it was stored in a hidden field on the client side, an attacker could manipulate the data and change another user's preferences. It was a serious issue as they could compromise any account — including those with administrative privileges. I'm glad I discovered it before someone with nefarious intentions did.

File inclusion vulnerabilities and IP address spoofing

Due to security concerns, the DLS is configured to only accept certain file types. However, there was nothing more than some JavaScript to validate file extensions. I was able to bypass it by calling the submit() method on the form. This could be exploited to distribute malware or even execute arbitrary code on the server.

IP addresses are recorded when users upload a file. But because this data was also stored on the client side, one could use a fake IP addresses or even substitute it with an invalid value. By chaining these vulnerabilities, attackers could cover their tracks.

I also found a similar bug in the settings page. Students used to be able to change their name on the site. Although this feature was disabled some time ago, hidden fields with the data remained in use. LAHS recently asked two ACMA engineers to come over so we could discuss the issues. I renamed myself to "l337 h4x0r" during the demo and got a few chuckles. ^_^

Unauthorized access to private files

Only files in a user's public folder are intended to be accessible to others. Everything else is supposed to be private. Each user also has a "recycle bin" for storing deleted files. One thing I noticed is that the user ID is specified in the path to that folder. I was able to access other people's deleted files by simply changing the value.

All these issues were due to the lack of server-side validation. Chances are the DLS still has vulnerabilities. I can only do so much without access to the complete source code. It would be a good idea for ACMA to conduct an independent security audit of the software. Of course, that's a bit above my pay grade. :-)

In other news...

LAHS had a Halloween dance on Friday to gauge interest in future events. As far as I'm aware, this is something we've never done before. I love dances but skipped this one as it was a little expensive.

Saturday, October 19, 2002

new graphing calculator

I got a TI-89 as a belated birthday present from my parents. It's something I've wanted for a while. Considering that my Casio CFX-9850G has started to show its age, this was the perfect time to upgrade.

From my first impressions, the TI-89 has a lot more features and functions. Also worth mentioning is that the built-in programming language is far superior. I can see why everyone says this is a great calculator. It's basically a handheld computer. But the best part is that my math and physics classes are about to get easier. :-)

Mom has told me to be careful as these devices are often stolen. I hope this doesn't happen to me. One thing for sure is that I'm going to have a hard time concentrating in class. :P

Currently playing: Phoenix

Friday, October 11, 2002

kicked out of Spanish class :-(

I just found out my Spanish III teacher dropped me from the class. It was my mom who told me as Mrs. Schiffman didn't say anything about it to me. Although we knew she didn't like me for various reasons, this was a huge surprise. Despite a great birthday celebration with my parents, the week ended on a sour note.

It's going to be hard to find another class and satisfy the foreign language requirement before I graduate. Learning a new language from scratch isn't exactly simple. Hopefully this won't ruin my chances of getting into a good college...

Update: I was able to transfer to Mr. Miller's web design class. It actually sounds pretty fun as I've always been interested in computers. Considering that we're halfway into the semester, this is something I'm very grateful for. I already know HTML and should be able to quickly catch up. Or at least I hope so. *crosses fingers*

Thursday, October 10, 2002

17th birthday report

I had a nice birthday celebration with my parents. It's hard to believe how fast time goes. Sometimes it still feels like I only turned 16 not too long ago. In any case, happy birthday to me!

So my folks took me to a Mexican restaurant in Mountain View called Fiesta del Mar for dinner. It's always fun to try out new places. Everything we ordered was delicious, especially the seafood enchiladas. I want to go back there, that's for sure.

We also went to a Chinese restaurant for lunch with my grandparents a while ago. Although it wasn't my first choice because we regularly eat Chinese food at home, Mom wanted something everyone would enjoy. I agreed to it because family is number one.

Currently listening to: "FotografĂ­a" by Juanes and Nelly Furtado