Wednesday, October 30, 2002

more DLS vulnerabilities

About two months ago, I reported an oversight in which my school's student information system inadvertently disclosed users' default passwords. Since then, I've discovered several more vulnerabilities. I'm sure they've all been patched, so I don't think Mr. Randall will mind me posting about them. Here are a few of the ones I've found:

Changing other users' account settings

This one was particularly serious as it could allow an attacker to compromise other users' accounts. The HTML form where users entered their profile information had a hidden field containing the internal ID of the target user. By using JavaScript to change its value, it was possible to overwrite another user's account settings.

They included security questions, which could allow a malicious user to take control of anyone's account - including those of teachers and administrators. I'm really glad I found this bug before someone with less-than-innocent intentions did.

Forced file uploads and spoofed IP addresses

The DLS is configured to allow only certain file extensions to be uploaded. This is important because some files could contain viruses, or even allow an attacker to execute arbitrary code on the server. The file extensions were only validated using client-side scripting, so by invoking the JavaScript function that submits the form, it was possible to bypass this check entirely. From what I've read, file inclusion vulnerabilities are the most common security issue in web applications.

The server also records the IP address from which a file is uploaded. Like in the case of account settings, the IP was stored in a hidden field in the file upload form. Using this information, I could upload stuff under a fake IP. Even non-numerical "addresses" were accepted.

Other DLS features were also similarly affected. For example, the school recently disabled the option for students to change their names, but I was still able to rename myself to "l337 h4x0r" using this method. ^_^

It seems the majority of these vulnerabilities were the result of not validating HTTP POST parameters.

Viewing other students' recycle bins

Only the files in a user's public folder were intended to be accessible to other users. However, it was possible to view the contents of other students' recycle bins (although not their other personal files) via URL manipulation. This was a relatively minor issue, although it could have posed privacy concerns.

As with all new software, chances are that the DLS still has undiscovered vulnerabilities. But because the software is closed-source, and I do not know much about developing web applications, there are only so many bugs I could help find. In this case, it's probably a good idea for ACMA to request an independent software audit.

In other news...

There was a Halloween dance last Friday, which was the first of its kind at LAHS. I didn't feel like going because it was somewhat expensive compared to the other stag dances, but I'm nevertheless looking forward to the one in December. :-)

Saturday, October 19, 2002

new TI-89 graphing calculator!

I got a brand new TI-89 today as sort of a late birthday present. This means I can finally retire my aging Casio CFX-9850G. But the most important thing is that my math and physics classes are about to get a lot easier. :-)

This calculator is really awesome. It has so many features and functions that I don't even know where to begin. The TI-89 can also run a large number of games and applications. Speaking of which, the TI-BASIC programming language is much more powerful than the one on the CFX-9850G. In a sense, the TI-89 is almost like a miniature computer.

Now I just have to hope my new toy doesn't get stolen. From what I've heard, fancy calculators are among the most valuable targets. One thing for sure is that I'm going to have a hard time concentrating in class for the next few weeks. Heh.

Currently playing: Phoenix

Friday, October 11, 2002

so I got kicked out of Spanish class :-(

The week didn't end too well as Mrs. Schiffman kicked me out of Spanish III today. She didn't say anything about it in class, so it was my parents who broke the news to me. I had always sensed that she didn't like me very much, so I can't say I didn't see this coming. Still, it kind of sucks that this happened just after my 17th birthday.

On the other hand, Mr. Miller has kindly agreed to take me into his web design class. I've missed out on several weeks of lessons, but it shouldn't be too hard for me to catch up because I'm already quite familiar with HTML and JavaScript. At least I hope that's the case. *fingers crossed*

Of course, the downside is that I'll have to find another way to satisfy my foreign language requirement. Learning a new language from scratch isn't exactly a walk in the park...

Thursday, October 10, 2002

happy 17th birthday to me

So I turned 17 today. It's hard to believe this is my last year as a minor. Damn, time goes by fast. In any case, happy birthday to me, and everyone else born on October 10th!

To celebrate the occasion, my parents took me to a Mexican restaurant in Mountain View called Fiesta del Mar for dinner. This was our first time eating here, and I loved the place. The food was hella good, especially the seafood enchiladas. Yum!

This wasn't the only celebration as we also took my maternal grandparents out to lunch at a Chinese restaurant this past weekend. I'd normally have picked something else - not because I don't like Chinese food, but because we already eat a lot of it at home. In any case, we agreed on an Asian place as Mom wanted something the grandparents would also enjoy. Family comes first, right?

Currently listening to: "FotografĂ­a" by Juanes and Nelly Furtado