In case you missed it, I wrote an article a few days ago on my other blog (Following the White Rabbit) where I addressed the issue of the Pottsville, PA student "hacking" of the grading and online classroom system from Classroll.com.
I then thought a little more on the topic and figured I'd take a quick peek at the overall security of the Classboard.com login page where students and teachers as well as administrators go to log into the system. After an initial look, I wasn't shocked by what came next.
First off, the login page is a little scarry... after that, there were Cross-Site Scripting (XSS) issues all over the place. I got worried and decided that the best thing to do was call their support, and see if I could get through to someone who spoke security. I wasn't surprised by the result.
After trying twice unsuccessfully to leave a message and have someone call me back, I decided to get aggressive and pursue someone to talk to - a Mr. Ken Stith was going to be the Security Guy according to the girl in support that gave me his name, number and extension.
True to his word, that particular vulnerability vector (notice the wording there) is mitigated. Now when someone attempts to exploit that specific vector they are greeted by this:
I do have some other issues that I really wish ClassBoard would address, but Ken alerted me to the fact that he won't be responding to my query for additional information because giving out information may lead to someone being able to exploit them easier... I'm not sure I buy that.
- Why on God's green earth would you ever allow a Non-Secure Login? Ken's original phone-interview response was that some users have incompatible browsers and when this feature was turned off, people flooded their support lines with help - so the option was re-enabled.
- Please sanitize all your variables. As an example, the DistrictID variable should be numeric (as far as I can tell) so there should be a nice input filter [on the server side] to simply eliminate any character from the user's input stream that is not a number. This would solve/mitigate your unnecessary risks.
- There should absolutely be separate login interfaces for staff and parents/students... absolutely. It's common sense and industry best-practice to not allow people who can administer the system to log in on the same interface as those who use the system. I will be happy to write up why in case anyone disagrees.