Wednesday, October 30, 2002

more DLS vulnerabilities

You may remember that I found a security issue in my school's student information system about two months ago. Since then, I've discovered several more vulnerabilities. Now that they've all been patched, I don't think Mr. Randall will mind me posting about them. So here they are:

Changing another user's account settings

The web form for entering profile information had a hidden field containing the internal ID of the user. By modifying this value, an attacker could overwrite another user's account settings. This was a serious issue as it could allow the attacker to compromise any account - including those with administrative privileges. I'm really glad I discovered this problem before someone with nefarious intentions did.

Forced file uploads and spoofed IP addresses

The DLS is configured to accept only files with certain extensions. This is important because some files could contain viruses or even allow an attacker to execute arbitrary code on the server. However, because the file extensions were only validated on the client side, the user could bypass the check by invoking the JavaScript function that submits the form. From what I've read, file inclusion vulnerabilities are very common in web applications.

The server also records the user's IP address when a file is uploaded. Like in the above case, the IP was stored in a hidden field in the upload form. This allowed me to spoof my IP address. Even invalid values were accepted.

Other DLS features were similarly affected. For example, I was able to rename myself to "l337 h4x0r" even after the name change feature was disabled. ^_^

Viewing another user's recycle bin

Only the files in a user's public folder were intended to be accessible to other users. However, one could view the contents of another user's recycle bin via URL manipulation. This was a relatively minor issue but could have posed privacy concerns.

The majority of these issues seem to be the result of not validating parameters. Chances are the DLS still has undiscovered vulnerabilities. But because I don't have access to the source code, I could only find so many bugs. An independent software audit would likely uncover much more. After all, I'm only a high school student and not a web developer. :P

In other news...

There was a Halloween dance on the 25th. This was something LAHS had never done before. Though I didn't feel like going because it was a little expensive, I'm nevertheless looking forward to the dance in December. :-)

No comments:

Post a Comment