-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Vendor : Specialized Data Systems (SDS) Product : Parent Connect Version : 2010.04.11 tested, all versions presumed vulnerable URL : http://www.schooloffice.com/newweb/Items.aspx?catId=c22 Description (from vendor website): "SDS [...] brings to your school/district a comprehensive WEB BASED program with unmatched reporting capabilities. From Student Demographics, Attendance, Grades, Discipline, through SDS's integrated Gradebook, Fee Processing and Health Records, you will find a completely integrated system. Since the SDS program is totally WEB BASED, you only need a browser on your PC or Mac to access the powerful system. Included in the standard package is Parent Connect that allows parents/students to access their students' records from any location." "Your Parents will find Parent Connect to be an important communication link. Parent Connect provides schools with the ability to connect the school and the parents together with a simple, powerful Internet link you can simple add to your schools website. Get CONNECTED Today!" Vulnerability Summary: Every POST parameter within the Parent Connect web application is vulnerable to SQL injection. Exposure: One out of every three US K-12 school districts are using SDS Parent Connect, according to a quick phone call to 800-323-1605. Impact: Medium; nothing of real value to any sort of a attacker (except maybe a stalker) is present here, but it's enough to give school kids a boner, make soccer moms queef a brick, and give school administrators a heart attack. Someone will probably get fired/expelled. *You're welcome.* Exploitation grants the ability to view any student's personal information (name, parents' names, address, phone number, etc), medical records, grades, attendance (class and day), class schedule, disciplinary actions, standardized test scores, transcript, book rent balances, notifications sent home to the parent (apparently we don't send notes home with kids these days), and the abilitiy to enroll/disenroll the student from school. Google Dork: intitle:"SDS Parent Connect" Details: Every POST parameter is vulnerable. 'nuff said. All right, I'll go into more detail. It's an ASP app with an MS Access database backend. Error messages are *extremely* verbose (and presented in an annoying javascript alert box), but you won't be able to pump any data directly out of the database. There's probably more you can do, but I don't know Access/JET very well, and I don't really care. Authentication bypass is possible on portal login page: enter any username, as apparently it doesn't matter what you enter here -- you'll be authenticated as someone. Enter ' OR '1'='1 in the password field. You'll now be viewing some random student's information. Great job! Want to see more? Parent Connect has this bitchin' "link accounts" feature, where if you have more than one child enrolled in the school district you could link their userids together so that you only have to login once to view all of your kids' information. Entering the current student's userid (found on the main homepage) in the "link accounts" form followed by ' OR '1'='1 in the password field will link *every* student in the entire school district to the account you're using. When you go back to the homepage you'll see a nice table (likely several thousand pages long) with the heading "Select Student," where you can click on any student's name to view all their information. Presumably since the accounts are all linked now, anyone who logs in using any userid will be able to see everyone's information. I can't be bothered to confirm that though, but it's neat to think about. Timeline: 5-21-2010 - Stumbled across this while taking a shit (thanks, wifi!) 5-21-2010 - Ate some cereal 5-21-2010 - Watched some Adult Swim 5-21-2010 - Posted random shit to FD 5-21-2010 - ?? 5-22-2010 - Profit -----BEGIN PGP SIGNATURE----- Charset: UTF8 Version: Hush 3.0 Note: This signature can be verified at https://www.hushtools.com/verify wpwEAQMCAAYFAkv2kNsACgkQacHgESW3wZptvwQA0s0+nyhM+v5uI9gXNuM3VaMxOC8N TZFHL7PS6I/K4lwONp/4mkUQgoICuwB3NKl9/Rlsdu9Fa5CkF5tsUSLib23bAOLz3Kx9 VMwjpgxnztiRdc1WWaHBOMusJ/W26I9/MAPkq1i2L0hCAW7LkXjg8DN0O+CgYLLCvpKa TxTVcJc= =/SA0 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/