lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 21 May 2010 06:55:38 -0700
From: "epixoip" <>
Subject: SDS Parent Connect SQL Injection

Hash: SHA1

Vendor	: Specialized Data Systems (SDS)

Product	: Parent Connect

Version	: 2010.04.11 tested, all versions presumed vulnerable


Description (from vendor website):

"SDS [...] brings to your school/district a comprehensive WEB BASED
program with unmatched reporting capabilities. From Student
Demographics, Attendance, Grades, Discipline, through SDS's
integrated Gradebook, Fee Processing and Health Records, you will
find a completely integrated system. Since the SDS program is
totally WEB BASED, you only need a browser on your PC or Mac to
access the powerful system. Included in the standard package is
Parent Connect that allows parents/students to access their
students' records from any location."

"Your Parents will find Parent Connect to be an important
communication link. Parent Connect provides schools with the
ability to connect the school and the parents together with a
simple, powerful Internet link you can simple add to your schools
website. Get CONNECTED Today!"

Vulnerability Summary:

Every POST parameter within the Parent Connect web application is
vulnerable to SQL injection.


One out of every three US K-12 school districts are using SDS
Parent Connect, according to a quick phone call to 800-323-1605.


Medium; nothing of real value to any sort of a attacker (except
maybe a stalker) is present here, but it's enough to give school
kids a boner, make soccer moms queef a brick, and give school
administrators a heart attack. Someone will probably get
fired/expelled. *You're welcome.*

Exploitation grants the ability to view any student's personal
information (name, parents' names, address, phone number, etc),
medical records, grades, attendance (class and day), class
schedule, disciplinary actions, standardized test scores,
transcript, book rent balances, notifications sent home to the
parent (apparently we don't send notes home with kids these days),
and the abilitiy to enroll/disenroll the student from school.

Google Dork:

intitle:"SDS Parent Connect"


Every POST parameter is vulnerable. 'nuff said.

All right, I'll go into more detail.

It's an ASP app with an MS Access database backend. Error messages
are *extremely* verbose (and presented in an annoying javascript
alert box), but you won't be able to pump any data directly out of
the database. There's probably more you can do, but I don't know
Access/JET very well, and I don't really care.

Authentication bypass is possible on portal login page: enter any
username, as apparently it doesn't matter what you enter here --
you'll be authenticated as someone. Enter ' OR '1'='1 in the
password field. You'll now be viewing some random student's
information. Great job!

Want to see more? Parent Connect has this bitchin' "link accounts"
feature, where if you have more than one child enrolled in the
school district you could link their userids together so that you
only have to login once to view all of your kids' information.
Entering the current student's userid (found on the main homepage)
in the "link accounts" form followed by ' OR '1'='1 in the password
field will link *every* student in the entire school district to
the account you're using. When you go back to the homepage you'll
see a nice table (likely several thousand pages long) with the
heading "Select Student," where you can click on any student's name
to view all their information. Presumably since the accounts are
all linked now, anyone who logs in using any userid will be able to
see everyone's information. I can't be bothered to confirm that
though, but it's neat to think about.


5-21-2010 - Stumbled across this while taking a shit (thanks, wifi!)
5-21-2010 - Ate some cereal
5-21-2010 - Watched some Adult Swim
5-21-2010 - Posted random shit to FD
5-21-2010 - ??
5-22-2010 - Profit

Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists