PLMUN STUDENT PORTAL HACKED
Disclaimer: The purpose of this research is to improve and strengthen security all issues discovered in this research are reported to the security team. The researcher is not affiliated with any hacking groups. The researcher didn’t include the sensitive data in this write-up to reduce exposure to the vulnerability. The researcher follows the vulnerability disclosure policy.
Introduction
A few weeks ago, the student portal of the Pamantasan ng Lungsod ng Muntinlupa (PLMUN) was hacked by someone. The incident of the hacking was confirmed by the plmun who posted on their official facebook page and also confirmed that they already detected the hacker.
As of this time, it’s unclear how the hacker was able to inject a malicious redirect to the plmun student portal.
A malicious redirect occurs when an application allows an attacker to control a redirect or forward it to another website. Some malicious redirects can have more harmful effects like stole users’ cookies.
Exploitation
After the hacking incidents, the plmun student portal is back to normal and the malicious redirect has already been patched. I explore the plmun student portal if I can find any security issues that can be possibly exploited by someone and I discovered Cross Site Scripting (XSS), SQL Injection, Denial of Service (DOS), and Exposure of Information Through Directory Listing.
Cross Site Scripting (XSS) vulnerability allows an attacker to stole the user’s cookies and credentials by injecting the malicious script into the application.
SQL Injection Vulnerability allows an attacker to interfere with the queries to retrieve, update, insert, and worst of all delete databases. There are different types of SQL Databases such as MySQL, Oracle, SQL Server, and others.
I also discovered some of the parameter endpoints are still not filtered out and misconfigure so when someone Injected a non-alphanumeric it’s giving an error this error can be used by the attacker to Denial of Service (DOS).
Denial of Service (DOS) Vulnerability allows an attacker to overload the network or application by sending more traffic making it unable to provide service to the users.
Exposure of Information Through Directory Listing unauthorized users can view the directory file of the plmun webpage application by guessing the right path to display any sensitive resources. The response from the plmun server includes the directory content of the directory as seen in the below screenshot.
- Plmun Paculty Directory
- Plmun Online Admission Directory
- Plmun Graduate Admission Directory
In this vulnerability, I found out that the plmun web directory was exposed including vendor, source codes, plugins, and sensitive videos of how the plmun grading system works and many more.
Since the plugins and source codes were exposed to unauthorized users the bad actors can exploit easy to the plmun web application by searching the name of the plugin and what’s the version of the plugin where bad actors can exploit and check the source codes of how the plmun web application works.
Disclosure Timeline
- September 11, 2022 — I reported to the plmun team regarding this vulnerability issue.
- September 12, 2022 — The vulnerability has been fixed.
- September 14, 2022 — Follow up reports on another vulnerability issue found.
- September 16, 2022 — The vulnerability has been fixed.
Thanks for reading this article, I hope you guys learn something new today. Please share this article to spread the knowledge.
Don’t forget to follow and connect with me through LinkedIn, and Twitter.
