Critical authorization vulnerabilities found in information system used by at least 2 major universities

Timeline

;

Introduction

Due to multiple authorization vulnerabilities (which I found in the process of enlisting for an exam) in the Student Information System (SIS) It was possible to retrieve the following information:

HvA

  • 385.000 Names and student identifiers
  • 200.000 Phone numbers
  • 130.000 Student fotos

UvA

  • 237.000 Names and student identifiers
  • 131.000 Phone numbers
  • 63.000 Student fotos

Affected systems

The vulnerability was found in both the HvA and UvA implementation of the SIS, it is more than likely that the vulnerability was also present in the SIS implementation of the other universities/institutes.

Vulnerabilities

Vulnerability 1

A decommissioned part of the SIS that allows you to list all students with their names and student identifiers was accessible. I found it by looking at the source code of the page mentioned in vulnerability 2 (It was in a hidden div, no I am not joking)

Location: https://sis.hva.nl:8011/psp/S2PRD/EMPLOYEE/HRMS/c/SNS_INFO_ITEMS.SNS_PERS_DTL.GBL

Vulnerability 2

The data of any student/staff member could be accessed by changing the {StudentIdentifier} parameter.

Location: https://sis.hva.nl:8011/psc/S2PRD/EMPLOYEE/HRMS/c/SNS_INFO_ITEMS.SNS_PERS_DTL.GBL?Page=SNS_PERS_DTL1&Action=U&EMPLID={StudentIdentifier}

Exploitation

Step 1

Retrieve all the student identifiers by exploiting vulnerability 1. We will use the data retrieved in this step for step 2.

StudentidFullname(Pixelised)

Step 2

Retrieve all the student details(photo,phonenumber) by exploiting vulnerability 2,using the list of student identifiers acquired in step 1.

StudentdataPixelated

Step 3

Download all the images,using the urls retrieved in step 2.

StudentimagesPixelated

Author

Nelson Berg

Founder @ BinaryIT | Nelson.Berg@binaryit.net (PGP)

Pentester @ Securify B.V. | Nelson.Berg@securify.nl (PGP)

Follow Us @BIT_Secure