About two months ago, I reported an oversight in which my school's student information system inadvertently disclosed users' default passwords. Since then, I've discovered several more vulnerabilities. I'm sure they've all been patched, so I don't think Mr. Randall will mind me posting about them. Here are a few of the ones I've found:
Changing other users' account settings
They included security questions, which could allow a malicious user to take control of anyone's account - including those of teachers and administrators. I'm really glad I found this bug before someone with less-than-innocent intentions did.
Forced file uploads and spoofed IP addresses
The server also records the IP address from which a file is uploaded. Like in the case of account settings, the IP was stored in a hidden field in the file upload form. Using this information, I could upload stuff under a fake IP. Even non-numerical "addresses" were accepted.
Other DLS features were also similarly affected. For example, the school recently disabled the option for students to change their names, but I was still able to rename myself to "l337 h4x0r" using this method. ^_^
It seems the majority of these vulnerabilities were the result of not validating HTTP POST parameters.
Viewing other students' recycle bins
Only the files in a user's public folder were intended to be accessible to other users. However, it was possible to view the contents of other students' recycle bins (although not their other personal files) via URL manipulation. This was a relatively minor issue, although it could have posed privacy concerns.
As with all new software, chances are that the DLS still has undiscovered vulnerabilities. But because the software is closed-source, and I do not know much about developing web applications, there are only so many bugs I could help find. In this case, it's probably a good idea for ACMA to request an independent software audit.
In other news...
There was a Halloween dance last Friday, which was the first of its kind at LAHS. I didn't feel like going because it was somewhat expensive compared to the other stag dances, but I'm nevertheless looking forward to the one in December. :-)