Craccum exposes security hole in university system

10 Sep, 2001 08:49 AM3 mins to read

By MICHAEL FOREMAN

Student magazine Craccum has claimed Auckland University's nDeva online enrolment system may have been compromised after a security hole was left open for three months.

Details of the exposure were published yesterday in an article titled: "How to hack into nDeva - A beginner's guide".

The article suggested the records of 26,000 students were open to tampering during that time, and that any person with basic PC knowledge would be able to "invent a student profile and 'complete' a University of Auckland degree within a few hours".

"I haven't had any reaction from the university, but the students think it's pretty interesting," said Craccum editor John Marshall.

He said the nDeva system had been open to hackers thanks to a bug in Microsoft's Internet Information Server (IIS) 5.0, which was first discovered last March.

Microsoft had released a patch to close the loophole in May, but it was not activated on the university's nDeva system until five weeks ago.

"The security at Auckland [university] seems to be a bit token," said Marshall.

According to the article the only reason the loophole was closed was that during a routine upgrade the university updated the nDeva web server with a security patch released by Microsoft after the unleashing of the Code Red Worm.

The article included details of how the nDeva site could have been hacked before the installation of the patch, including a sample "test exploit" script.

It also claimed a hacker called "nGenious" was able to enter the site and gain access to a database containing student and staff details.

"This kind of security breach shows the overall trust people place in a 'secure' website and how security patches must be applied weekly to internet facing devices," the hacker said.

Marshall said he had been alerted to the bug by a group of Auckland-based hackers called Southern Lights International.

He hoped publication of the article would help to improve what appeared to be a lax attitude to computer security at the university.

"Hopefully it will get them into gear," he said.

Auckland University information technology director Steve Saunders refused to comment on the magazine's allegations yesterday.

"At this stage we are investigating those claims but we are making no comment at this stage," he said.

Later in the day, director of administration Jonathan Blakeman said the university had reviewed the security of its systems and was confident of the security of its data.

The Craccum article said the nDeva system was vulnerable to CGI (common gateway interface) filename processing errors in IIS versions 4.0 and 5.0.

Links

nDeva

Craccum

Network Security Focus

Microsoft Security Bulletin