How we got into your PMMS accounts
Note: This post is purely for educational purpose, our motive is never to show wrong usage of this information. We have used our accounts to display this issue.You are on your own if you use this in a wrong manner.
So, lets jump in. All colleges enrolled with GTU has manage the final year projects of students on an online portal called the Project Monitoring and Mentoring System (PMMS). For the choice of definition to final certificate generation is done on this online portal.
Me with my friend Chittaranjan Kumar were changing his old email id on the portal and we noticed something. There was no authorization needed to change your email id. So, we decided to understand the flow of the whole process and finally got a way to go into anyones pmms accounts. so, lets see how its done.
First of all, we go to Change email page where it asks for three things enrollment number, old email and the new email. So, now we entered a enrollment number of a account, old email and our new temporary email which we have created.
And we clicked on change email, without any verification we changed the email successfully. How we got the email and the enrollment number of the person that we come back to in a minute. Now we have to get the password of the user to get into his/her accounts. for that we used another desgin flaw. Portal was sending plaintext passwords to students email. So we requested for the a new password by going into Forgot password page.
Here, it ask for only the email of the student. Note that we will put now the email which we changed previously. So, we entered the email and Voila!!
We, got a nice email from portal with the user-name and password. and hence we can now enter into anyones account easily.
But, wait we have a problem How to get someone email and enrollments number. well in the case of enrollment number www.gtuinfo.in will help you out and for email part we let you think about it.
So, now we decided to test if this issue could be exploited on a large scale, and we were able to test it. With help of our another friend ~x03~ we developed a Python script to automate this whole task.
So, what we are doing here is that First changing an email to a temporary email and that requesting the password on that email and at the end resetting the original email back.
This issue will become more critical next year due to one of my previous finding which could leak emails of all students currently in 3rd year. Here is the link to it. Do read it
Conclusion
Whats happening here is that there is no authorization in change of emails and another thing sending of passwords to email directly.
Fixes that can be imposed.
- Change email option should be available after user logs into his/her account.
- Password should not be sent directly to email, instead reset links should be used.
- Emails other than Standard domains like (gmail,yahoo, rediff etc) should be blocked.
So, that was the whole issue we wanted to point out. Hope you liked that, Write us your views on this in comments for sure. Thanks
Final Note: Now, Change email option has been removed from the portal, so the exploitation of this issue is not possible.
