A SQL injection (SQLi) vulnerability in an open source platform developed by Greek universities to manage student data left academic grades at risk of manipulation.
Miscreants leveraging the vulnerability in the application, UniverSIS, could also have retrieved IDs, students’ names, parents’ names, Social Security numbers, home addresses, and home and mobile phones, according to a blog post published by security researcher Stavros Mekesis.
The maintainers released a patch on GitLab a day after they were alerted to the flaw (tracked as CVE-2022-29603).
‘Millions of users’
UniverSIS is a Student Information System (SIS) used by some of the Greece’s largest universities, including the very largest, the Aristotle University of Thessaloniki, to store and manage students’ personally identifiable information, test results, and other sensitive data.
“The platform also handles inactive students and inactive employees,” Mekesis told The Daily Swig. “So, it would be a safe estimate to say that the platform has millions of users.”
Although the attack complexity is low the attacker must be authenticated, albeit with low privileges, such as those of a student, according to Mekesis.
“However, given that many students tend to reuse passwords, once these passwords are compromised, they can be used to break into UniverSIS and exploit the SQLi vulnerability,” Mekesis warned. “Moreover, phishing is a relatively cheap and effective form of attack.”
The UniverSIS SQLi issue involved the $select parameter and affected multiple API endpoints, including /api/students/me/messages/, due to improper validation of user-supplied input.
After sending specially crafted SQL statements to a vulnerable endpoint the attacker could “view, add, modify or delete information in the back-end database”, according to Mekesis.
Prompt response
UniverSIS versions up to and including 1.2.1 are all potentially vulnerable.
Mekesis has advised users to apply a recently issued patch as soon as possible.
“The UniverSIS support team responded instantly” after Mekesis contacted them on April 17, 2022, according to the researcher. The lead developers, Kyriakos and Anthi, rolled out a patch on April 18, said Mekesis, after “Kyriakos worked relentlessly (even on Orthodox Easter Sunday!) to keep Greek universities safe. Bravo!”
It’s the second time this month that Mekesis has documented a bug in UniverSIS, having disclosed an information disclosure vulnerability in the platform three weeks ago.
