You may remember that I found a security issue in my school's student information system about two months ago. Since then, I've discovered several more vulnerabilities. Now that they've all been patched, I don't think Mr. Randall will mind me posting about them. So here they are:
Changing another user's account settings
The web form for entering profile information had a hidden field containing the internal ID of the user. By modifying this value, an attacker could overwrite another user's account settings. This was a serious issue as it could allow the attacker to compromise any account - including those with administrative privileges. I'm really glad I discovered this problem before someone with nefarious intentions did.
Forced file uploads and spoofed IP addresses
The server also records the user's IP address when a file is uploaded. Like in the above case, the IP was stored in a hidden field in the upload form. This allowed me to spoof my IP address. Even invalid values were accepted.
Other DLS features were similarly affected. For example, I was able to rename myself to "l337 h4x0r" even after the name change feature was disabled. ^_^
Viewing another user's recycle bin
Only the files in a user's public folder were intended to be accessible to other users. However, one could view the contents of another user's recycle bin via URL manipulation. This was a relatively minor issue but could have posed privacy concerns.
The majority of these issues seem to be the result of not validating parameters. Chances are the DLS still has undiscovered vulnerabilities. But because I don't have access to the source code, I could only find so many bugs. An independent software audit would likely uncover much more. After all, I'm only a high school student and not a web developer. :P
In other news...
There was a Halloween dance on the 25th. This was something LAHS had never done before. Though I didn't feel like going because it was a little expensive, I'm nevertheless looking forward to the dance in December. :-)