You may remember that I found a security issue in my school's student information system a while ago. It turns out the DLS had additional vulnerabilities. I can talk about them now that they're fixed. Hopefully I don't get in trouble for this. :P
Changing another user's settings
On the profile settings page, the user ID is used to specify the target profile. Because it was stored in a hidden field on the client side, an attacker could manipulate the data and change another user's preferences. It was a serious issue as they could compromise any account — including those with administrative privileges. I'm glad I discovered it before someone with nefarious intentions did.
File inclusion vulnerabilities and IP address spoofing
Due to security concerns, the DLS is configured to only accept certain file types. However, there was nothing more than some JavaScript to validate file extensions. I was able to bypass it by calling the submit() method on the form. This could be exploited to distribute malware or even execute arbitrary code on the server.
IP addresses are recorded when users upload a file. But because this data was also stored on the client side, one could use a fake IP addresses or even substitute it with an invalid value. By chaining these vulnerabilities, attackers could cover their tracks.
I also found a similar bug in the settings page. Students used to be able to change their name on the site. Although this feature was disabled some time ago, hidden fields with the data remained in use. LAHS recently asked two ACMA engineers to come over so we could discuss the issues. I renamed myself to "l337 h4x0r" during the demo and got a few chuckles. ^_^
Unauthorized access to private files
Only files in a user's public folder are intended to be accessible to others. Everything else is supposed to be private. Each user also has a "recycle bin" for storing deleted files. One thing I noticed is that the user ID is specified in the path to that folder. I was able to access other people's deleted files by simply changing the value.
All these issues were due to the lack of server-side validation. Chances are the DLS still has vulnerabilities. I can only do so much without access to the complete source code. It would be a good idea for ACMA to conduct an independent security audit of the software. Of course, that's a bit above my pay grade. :-)
In other news...
LAHS had a Halloween dance on Friday to gauge interest in future events. As far as I'm aware, this is something we've never done before. I love dances but skipped this one as it was a little expensive.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment