Page MenuHomeVulnz

Access to transcripts for other UB students
VerifiedPublic

Description

Abstract

Anyone can access the university transcript for some students in the Universitat de Barcelona, given that they know their NIUB and the degree they are coursing.

Reproduction steps

  1. Get the NIUB of a UB student.
  2. Go to the UB degrees directory, and click on the degree that the student is coursing. When accessing the page for that degree, in the URL a code beginning with the letter "G" and 4 numbers will appear. That's the code corresponding to that degree, take note of that.
  3. Now, access http://www2.giga.ub.edu/acad/XAutoConsulta/treball/{year}_{niub}_{degree}_.pdf, where {year} is a year (it seems to be more or less the year in which the transcript was last updated), {niub} is the student's NIUB, and {degree} is the degree code that can be found following step 2. This doesn't always work, so to reproduce this you might have to try with different values of {year}, and even then, I suppose if the student hasn't checked their transcript ever, it might not be available.

To bring proof of exploitability, here is a URL which shows my transcript: http://www2.giga.ub.edu/acad/XAutoConsulta/treball/2018_[REDACTED]_G1035_.pdf

Severity of the vulnerability

Several things have to be taken into account:

  • NIUB numbers can be easily found (by searching [niub física] in Google, for example, in the information panels at the university), and by doing the previous things, it is also easy to match the students to the degree they are coursing.
  • Viewing the transcripts reveals the student's name, DNI and marks.
  • The PDFs can be accessed without even logging in.
  • From a few tests, I could see that this doesn't always work and it may require trial and error, but in the cases it works, it displays too much information.

What should be done?

An access control should be implemented. Basically, a student should have access only to their transcript, and no one else should have access (obviously with the exception of administrators). Apart, it shouldn't allow access to people who are not logged in.


This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.

Details

Vendor
Universitat de Barcelona
Product
GIGA
Reported
Feb 7 2019, 12:43 AM
Deadline
90

Event Timeline

avm99963 created this task.Feb 7 2019, 12:41 AM
avm99963 triaged this task as Priority-1 priority.
avm99963 set Reported to Feb 7 2019, 12:43 AM.Feb 7 2019, 12:43 AM
avm99963 renamed this task from Accés a expedient d'altres alumnes de la UB to Access to transcripts for other UB students.Feb 26 2019, 11:28 PM
avm99963 closed this task as Fixed.Feb 27 2019, 12:17 AM

Just as an observation, this report was sent to pau@ub.edu on Feb 7, 2019, 12:43 AM, 20 days ago.

As of now, the vulnerability seems to be fixed, so I'm changing this report's status to fixed. Despite this, I have not yet received any reply from the third party, so I've pinged them right now to confirm whether the issue is fixed or not, and when I have the confirmation I will change this report's status to verified and publish it.

Roadmap for the future

If I don't hear back from them in a week, I'll send them another email stating that if I still don't hear back from them in another week I will take for granted that this issue is fixed and will publish this report. This is because I know that the vulnerability is fixed, but it would be nice for the other party to acknowledge it before I do something that may put them at risk.

If they had asked me to postpone the publication of this report within the 90 days limit, I would have been (and will be, in case they ask me to) very flexible and would have published it whenever the other party told me they were ready (or when the 90 days would have elapsed, in this sense I would be very strict). But if the other party doesn't establish any communication with me and still reads the message (because I could see that the issue was fixed some days after the message was sent), I see this as an attempt to be completely opaque and force the 90 days limit before publishing the report. That's why I've decided to wait a maximum of two more weeks for their response before publishing it without their approval. Of course, if I receive any response, even if it is not to confirm that the vulnerability is fixed, I will consider the communication to be established and so I will talk with them before publishing the vulnerability.

I've been quite busy for the last week so I haven't been able to update this issue until today.

This is the message I sent pau@ub.edu on Feb 27, 2019, 12:15 AM:

Benvolguts,
Han passat 20 dies des que us vaig enviar el correu anterior, i tot i que he vist que heu fet canvis al web per tal de solventar la vulnerabilitat i he comprovat que s'ha solucionat la vulnerabilitat al menys per la meva part, no he rebut encara cap resposta vostra. Si fos possible, m'agradaria rebre una resposta vostra confirmant que s'ha solucionat, per tal de fer públic l'informe al meu tracker de vulnerabilitats, com ja us vaig comentar, o en cas que no estigui encara solucionat del tot, doncs això.
[redacted]
Gràcies,
Adrià Vilanova Martínez

They replied some hours afterwards, on Feb 27, 2019, 9:36 AM:

Bon dia Adrià, com a estudiant has de contactar amb el servei del SAE (Servei d’Atenció a l’Estudiant). Des del PAU només gestionem les Incidències relacionades amb els codis del personal docent i personal administratiu.
La adreça és: sae@ub.edu
Salutacions cordials,
[redacted]
Punt d'atenció a l'usuari (PAU)
Universitat de Barcelona

Therefore, I've sent the following email to sae@ub.edu on Mar 12, 2019, 12:18 AM:

Benvolguts.
Us faig arribar aquest correu, ja que fa unes setmanes vaig enviar al Punt d'Atenció a Usuari de la UB un informe d'una vulnerabilitat de seguretat present a la intranet d'alumnes de la UB que permetia consultar l'expedient de gairebé qualsevol alumne de la UB donades unes certes circumstàncies. No vaig rebre resposta alguna i diversos dies després la vulnerabilitat semblava estar arreglada. És per això que després d'un temps vaig tornar a contactar amb el PAU per tal de confirmar si la vulnerabilitat ja havia quedat resolta, però ells em van contestar que de fet m'he d'adreçar a vosaltres per tal de realitzar aquesta consulta (podeu revisar l'informe de vulnerabilitat així com tots els correus que ens vam enviar en el missatge reenviat que hi ha just aquí sota).
És per tot això que m'agradaria preguntar-vos ​si podeu confirmar que la vulnerabilitat ha quedat solucionada, per tal de fer públic l'informe al meu tracker de vulnerabilitats tal com queda explícit a l'informe que vaig enviar, o en cas que no estigui encara solucionat del tot, doncs una resposta indicant això.
[redacted]
Moltes gràcies,
Adrià Vilanova Martínez

I'll wait for their response and I will not apply the previous roadmap to this message, because I've actually established contact, even if it was actually passive because they redirected me from one place to another when actually sending the report to that first place got this vulnerability apparently fixed. In the worst case scenario in which they keep redirecting me or ignoring me without actually tackling the issue, I would come up with another roadmap to publish the vulnerability.

avm99963 changed the task status from Fixed to Verified.Mar 17 2019, 8:06 PM

I received a repsonse from them on Tue, Mar 12, 6:44 PM:

Els tècnics informàtics confirmen que la vulnerabilitat va ser resolta [redacted]. Moltes gràcies per la teva col·laboració.

Therefore, I'm changing the status of this report to verified and publishing this report.

avm99963 changed the visibility from "Restricted Project (Project)" to "Public (No Login Required)".Mar 17 2019, 8:06 PM