Lucene search
K

Specialized Data Systems (SDS) SQL Injection

🗓️ 22 May 2010 00:00:00Reported by Jeremi GosneyType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 31 Views

Specialized Data Systems (SDS) SQL Injection vulnerability in Parent Connect 2010.04.1

Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
  
  
Vendor : Specialized Data Systems (SDS)  
  
Product : Parent Connect  
  
Version : 2010.04.11 tested, all versions presumed vulnerable  
  
URL : http://www.schooloffice.com/newweb/Items.aspx?catId=c22  
  
  
Description (from vendor website):  
  
"SDS [...] brings to your school/district a comprehensive WEB BASED  
program with unmatched reporting capabilities. From Student  
Demographics, Attendance, Grades, Discipline, through SDS's  
integrated Gradebook, Fee Processing and Health Records, you will  
find a completely integrated system. Since the SDS program is  
totally WEB BASED, you only need a browser on your PC or Mac to  
access the powerful system. Included in the standard package is  
Parent Connect that allows parents/students to access their  
students' records from any location."  
  
"Your Parents will find Parent Connect to be an important  
communication link. Parent Connect provides schools with the  
ability to connect the school and the parents together with a  
simple, powerful Internet link you can simple add to your schools  
website. Get CONNECTED Today!"  
  
  
Vulnerability Summary:  
  
Every POST parameter within the Parent Connect web application is  
vulnerable to SQL injection.  
  
  
Exposure:  
  
One out of every three US K-12 school districts are using SDS  
Parent Connect, according to a quick phone call to 800-323-1605.  
  
  
Impact:  
  
Medium; nothing of real value to any sort of a attacker (except  
maybe a stalker) is present here, but it's enough to give school  
kids a boner, make soccer moms queef a brick, and give school  
administrators a heart attack. Someone will probably get  
fired/expelled. *You're welcome.*  
  
Exploitation grants the ability to view any student's personal  
information (name, parents' names, address, phone number, etc),  
medical records, grades, attendance (class and day), class  
schedule, disciplinary actions, standardized test scores,  
transcript, book rent balances, notifications sent home to the  
parent (apparently we don't send notes home with kids these days),  
and the abilitiy to enroll/disenroll the student from school.  
  
  
Google Dork:  
  
intitle:"SDS Parent Connect"  
  
  
Details:  
  
Every POST parameter is vulnerable. 'nuff said.  
  
All right, I'll go into more detail.  
  
It's an ASP app with an MS Access database backend. Error messages  
are *extremely* verbose (and presented in an annoying javascript  
alert box), but you won't be able to pump any data directly out of  
the database. There's probably more you can do, but I don't know  
Access/JET very well, and I don't really care.  
  
Authentication bypass is possible on portal login page: enter any  
username, as apparently it doesn't matter what you enter here --  
you'll be authenticated as someone. Enter ' OR '1'='1 in the  
password field. You'll now be viewing some random student's  
information. Great job!  
  
Want to see more? Parent Connect has this bitchin' "link accounts"  
feature, where if you have more than one child enrolled in the  
school district you could link their userids together so that you  
only have to login once to view all of your kids' information.  
Entering the current student's userid (found on the main homepage)  
in the "link accounts" form followed by ' OR '1'='1 in the password  
field will link *every* student in the entire school district to  
the account you're using. When you go back to the homepage you'll  
see a nice table (likely several thousand pages long) with the  
heading "Select Student," where you can click on any student's name  
to view all their information. Presumably since the accounts are  
all linked now, anyone who logs in using any userid will be able to  
see everyone's information. I can't be bothered to confirm that  
though, but it's neat to think about.  
  
  
Timeline:  
  
5-21-2010 - Stumbled across this while taking a shit (thanks, wifi!)  
5-21-2010 - Ate some cereal  
5-21-2010 - Watched some Adult Swim  
5-21-2010 - Posted random shit to FD  
5-21-2010 - ??  
5-22-2010 - Profit  
  
-----BEGIN PGP SIGNATURE-----  
Charset: UTF8  
Version: Hush 3.0  
Note: This signature can be verified at https://www.hushtools.com/verify  
  
wpwEAQMCAAYFAkv2kNsACgkQacHgESW3wZptvwQA0s0+nyhM+v5uI9gXNuM3VaMxOC8N  
TZFHL7PS6I/K4lwONp/4mkUQgoICuwB3NKl9/Rlsdu9Fa5CkF5tsUSLib23bAOLz3Kx9  
VMwjpgxnztiRdc1WWaHBOMusJ/W26I9/MAPkq1i2L0hCAW7LkXjg8DN0O+CgYLLCvpKa  
TxTVcJc=  
=/SA0  
-----END PGP SIGNATURE-----  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

22 May 2010 00:00Current
0.2Low risk
Vulners AI Score0.2
31