Wednesday, October 30, 2002

more DLS vulnerabilities

About two months ago, I reported an oversight in which my school's student information system inadvertently disclosed users' default passwords. Since then, I've discovered several more vulnerabilities. I'm sure they've all been patched, so I don't think Mr. Randall will mind me posting about them. Here are a few of the ones I've found:

Changing other users' account settings

This one was particularly serious as it could allow an attacker to compromise other users' accounts. The HTML form where users entered their profile information had a hidden field containing the internal ID of the target user. By using JavaScript to change its value, it was possible to overwrite another user's account settings.

They included security questions, which could allow a malicious user to take control of anyone's account - including those of teachers and administrators. I'm really glad I found this bug before someone with less-than-innocent intentions did.

Forced file uploads and spoofed IP addresses

The DLS is configured to allow only certain file extensions to be uploaded. This is important because some files could contain viruses, or even allow an attacker to execute arbitrary code on the server. The file extensions were only validated using client-side scripting, so by invoking the JavaScript function that submits the form, it was possible to bypass this check entirely. From what I've read, file inclusion vulnerabilities are the most common security issue in web applications.

The server also records the IP address from which a file is uploaded. Like in the case of account settings, the IP was stored in a hidden field in the file upload form. Using this information, I could upload stuff under a fake IP. Even non-numerical "addresses" were accepted.

Other DLS features were also similarly affected. For example, the school recently disabled the option for students to change their names, but I was still able to rename myself to "l337 h4x0r" using this method. ^_^

It seems the majority of these vulnerabilities were the result of not validating HTTP POST parameters.

Viewing other students' recycle bins

Only the files in a user's public folder were intended to be accessible to other users. However, it was possible to view the contents of other students' recycle bins (although not their other personal files) via URL manipulation. This was a relatively minor issue, although it could have posed privacy concerns.

As with all new software, chances are that the DLS still has undiscovered vulnerabilities. But because the software is closed-source, and I do not know much about developing web applications, there are only so many bugs I could help find. In this case, it's probably a good idea for ACMA to request an independent software audit.

In other news...

There was a Halloween dance last Friday, which was the first of its kind at LAHS. I didn't feel like going because it was somewhat expensive compared to the other stag dances, but I'm nevertheless looking forward to the one in December. :-)

No comments:

Post a Comment