[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20100521135539.4C3C320065@smtp.hushmail.com>
Date: Fri, 21 May 2010 06:55:38 -0700
From: "epixoip" <epixoip@...h.com>
To: full-disclosure@...ts.grok.org.uk
Subject: SDS Parent Connect SQL Injection
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vendor : Specialized Data Systems (SDS)
Product : Parent Connect
Version : 2010.04.11 tested, all versions presumed vulnerable
URL : http://www.schooloffice.com/newweb/Items.aspx?catId=c22
Description (from vendor website):
"SDS [...] brings to your school/district a comprehensive WEB BASED
program with unmatched reporting capabilities. From Student
Demographics, Attendance, Grades, Discipline, through SDS's
integrated Gradebook, Fee Processing and Health Records, you will
find a completely integrated system. Since the SDS program is
totally WEB BASED, you only need a browser on your PC or Mac to
access the powerful system. Included in the standard package is
Parent Connect that allows parents/students to access their
students' records from any location."
"Your Parents will find Parent Connect to be an important
communication link. Parent Connect provides schools with the
ability to connect the school and the parents together with a
simple, powerful Internet link you can simple add to your schools
website. Get CONNECTED Today!"
Vulnerability Summary:
Every POST parameter within the Parent Connect web application is
vulnerable to SQL injection.
Exposure:
One out of every three US K-12 school districts are using SDS
Parent Connect, according to a quick phone call to 800-323-1605.
Impact:
Medium; nothing of real value to any sort of a attacker (except
maybe a stalker) is present here, but it's enough to give school
kids a boner, make soccer moms queef a brick, and give school
administrators a heart attack. Someone will probably get
fired/expelled. *You're welcome.*
Exploitation grants the ability to view any student's personal
information (name, parents' names, address, phone number, etc),
medical records, grades, attendance (class and day), class
schedule, disciplinary actions, standardized test scores,
transcript, book rent balances, notifications sent home to the
parent (apparently we don't send notes home with kids these days),
and the abilitiy to enroll/disenroll the student from school.
Google Dork:
intitle:"SDS Parent Connect"
Details:
Every POST parameter is vulnerable. 'nuff said.
All right, I'll go into more detail.
It's an ASP app with an MS Access database backend. Error messages
are *extremely* verbose (and presented in an annoying javascript
alert box), but you won't be able to pump any data directly out of
the database. There's probably more you can do, but I don't know
Access/JET very well, and I don't really care.
Authentication bypass is possible on portal login page: enter any
username, as apparently it doesn't matter what you enter here --
you'll be authenticated as someone. Enter ' OR '1'='1 in the
password field. You'll now be viewing some random student's
information. Great job!
Want to see more? Parent Connect has this bitchin' "link accounts"
feature, where if you have more than one child enrolled in the
school district you could link their userids together so that you
only have to login once to view all of your kids' information.
Entering the current student's userid (found on the main homepage)
in the "link accounts" form followed by ' OR '1'='1 in the password
field will link *every* student in the entire school district to
the account you're using. When you go back to the homepage you'll
see a nice table (likely several thousand pages long) with the
heading "Select Student," where you can click on any student's name
to view all their information. Presumably since the accounts are
all linked now, anyone who logs in using any userid will be able to
see everyone's information. I can't be bothered to confirm that
though, but it's neat to think about.
Timeline:
5-21-2010 - Stumbled across this while taking a shit (thanks, wifi!)
5-21-2010 - Ate some cereal
5-21-2010 - Watched some Adult Swim
5-21-2010 - Posted random shit to FD
5-21-2010 - ??
5-22-2010 - Profit
-----BEGIN PGP SIGNATURE-----
Charset: UTF8
Version: Hush 3.0
Note: This signature can be verified at https://www.hushtools.com/verify
wpwEAQMCAAYFAkv2kNsACgkQacHgESW3wZptvwQA0s0+nyhM+v5uI9gXNuM3VaMxOC8N
TZFHL7PS6I/K4lwONp/4mkUQgoICuwB3NKl9/Rlsdu9Fa5CkF5tsUSLib23bAOLz3Kx9
VMwjpgxnztiRdc1WWaHBOMusJ/W26I9/MAPkq1i2L0hCAW7LkXjg8DN0O+CgYLLCvpKa
TxTVcJc=
=/SA0
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists