School's Web Portal



  • This is my first post here; I've been a long time reader.

    I overheard my brother today complaining that his high school’s online grade reporting system (Infinite Campus) had recently had all of its important links removed (to view grades, transcripts, etc). I thought this was a strange thing to do seeing that it’s almost finals time (the most important time of year to have access to that kind of information) so I asked him about it. Apparently, some kids had figured out how to see their next semester schedule (which they’re really secretive about for some reason) by changing some text in the address bar. My best guess is that the school administrators (or website admins) freaked and took down all the links (you can still login). I happen to know someone from a different high school that also uses the service, I got the important links, changed the “personID” param, and what do ya know? Everything is still there after all.

    TRWTF:
    I wanted to figure out what “hideTerms” did (it was set to some large number) so I changed it to 0.
    “Campus Error java.lang.NullPointerException”

    After more prodding (added ' or 1=1):
    Campus Error java.lang.ClassNotFoundException: com.infinitecampus.portal.PortalSchedule' or 1=1

    Now, I’m a freshman in college (Comp Sci) that has been programming for 5 years. I’ve never done web apps, just WinForms stuff so I’m definitely no expert. But that seems really, REALLY bad…



  • Add 'schools' to your list of 'places not to work when I graduate'.

     



  • That sounds about on par with the computer security at my old high school.

    Ahh, the days when the server password was "serVer"... and case-insensitive... the joys of having the computers be under the control of a librarian with no computer experience whatsoever.



  • Ahh, the Schooltime...

    Reminds me of one thing, too. I was on a business school, we had a class about 10 finger typing, with a special piece of type-software called "Taststar". You had 10 minutes to write, then the program compared your typed Text with an reference Text saved on a Networkdrive, countered the typed characters per minute, and printed the results straigth to the Teachers desk. Deleting any typos was not permitted for training purposes. (You shouldn't do them in first place).

    The machines run with Windows NT 3.5, every other piece of Software was disabled. So when you fired it up, just the "Taststar" appeard, and nothing else. No Taskbar etc... In writing mode, it had just a simple Textbox and you could type only plain Text, all other formating stuff was disabled. Including most of the Windows Hotkeys to prevent cheating (BACKSPACE, DELETE, STRG-V, STRG-C and so on). OK, so I was young, and the lessons went on realy boring so i made some try & error discoveries: They didn't care about he old DOS-Hotkeys SHIFT-DELETE and SHIFT-INSERT, and of course STRG-ALT-DEL was still enabled, too ;) You know what comes now, do you? Yes:
    Bring up the Taskmanager - click New Task, start notepad, open the reference Textfile on the Networkdrive (I searched about 3 lessons ;)), delete the last 3 paragraphs somewhere in mid the sentence, add one random typo for good will, copy the text with SHIFT-DEL, switch back to Taststar, insert it with SHIFT-INS, and keep your mouth shut for the next nine and a half minutes.

    Nice Time!
     



  • @tenchu said:

    I’m a freshman in college (Comp Sci) that has been programming for 5 years. I’ve never done web apps, just WinForms stuff ...

    The Real WTF(tm) is the fact that as a freshman in CS all you've done is WinForms...  unless this is hyperbole?  I mean, JavaSchools are bad enough, but do we really need DotNetSchools?
     



  • Let me rephrase that. I'm just finishing my first semester at a 4-year university, I'm declared as Comp Sci but there isn't an actual CS class until second semester sophomore year (have to get calculus, physics, chemistry, etc. out of the way first). Back in high school/middle school I took 6 or so programming classes (VB6, C++, C#, best practices) at a community college and read books on my own etc.


    What I was trying to get across: I don’t know about all the things I should to get a job such as the technology behind a web based app like the one I was talking about (and this website helped me to see exactly what results when people pretend to know more than they do); but I am competent in some area.



  • @GuntherVB said:

    Add 'schools' to your list of 'places not to work when I graduate'.

     

     

    Dude, there was a nifty high-school computer security tool SO ADVANCED: It quickly hid file, edit, etc... menus from firefox... NO IT DIDN'T RESTRICT THEM, it just made them hide REALLy fast... but if you double click... OH-OH!

    They hid c:\ from windows explorer... but if you go to start > run > cmd.exe... and typed in 'c:<enter>' take a lucky guess what would happen.

     

    The comp-sci teacher was so annoyed she gave extra credit to anyone who could find a new security loophole... and HIGH-SCHOOL STUDENTS WITH AT MOST A FEW YRS PROGRAMMING(more like messing around w/ computers) cracked that system inside-out... go security!

     



  • Reminds me of some "security" software called foolproof that was being run on computers in our compsci classes in highschool. I found a loophole by accident one day when explorer.exe crashed on me, and I added it as a new task. This would totally remove all limitations in place on the system. So getting around the security was as simple as ending the current instance of explorer.exe and adding it again....brilliant!

     



  • @jo-82 said:

    STRG-V
     

    You are German I presume?



  • Back at school we used to have a Netware server sitting in a rack secured with a glass door. That was kept locked by a key stored in the drawer of the administrators office (in the same room). One day, I was left in the room alone so, I grabbed the key, jumped on the console and created myself a perminent administrator account. Well, you can imagine my reaction as a young student when the administrator 'busted' me for putting pr0n up on the server (which I didn't do).

     Suffice it to say they thought it was a power surge!



  • I remember that we hid DOS games in a "hidden" directory (I think we used ALT+255 to create the partition). That way, they wouldn't notice it and only the students who knew how to not tell everyone could play :-)



  • @spr said:

    I remember that we hid DOS games in a "hidden" directory (I think we used ALT+255 to create the partition). That way, they wouldn't notice it and only the students who knew how to not tell everyone could play :-)

    They'd search our directories for .EXE files so I had to rename the game executable and write a batch file to run it for me...

    Also, before a friend and I were granted our own little 'office' (great idea, btw... spare two computers and let the kids screw around their own machines instead of the lab ones.. also teach them some responsibility and network administration along the way) we had to use a keylogger to get the protection software master password. Imagine our frustration as it turned out to be <4-letter acronym of the computer center's name, xycc>1! It'd have been much more satisfactory to have guessed it...



  • @m0ffx said:

    @jo-82 said:

    STRG-V
     

    You are German I presume?

    Fun fact: Around here, a lot of people incorrectly call this the "String" key, assuming that that is what the letters STRG stand for. Of course, anyone who has ever used an English-language kezboard knows that the key is called CTRL there, so STRG must stand for "Steuerung" (ie "Control").

     String-alt-entf for the win!
     



  • @tenchu said:

    Now, I’m a freshman in college (Comp Sci) that has been programming for 5 years. I’ve never done web apps, just WinForms stuff so I’m definitely no expert. But that seems really, REALLY bad…

    Yeah, that's pretty bad. Now, consider:

    (a) as bad as it is these kinds of problems are not unusual
    (b) this app was not written by students but by "professional" programmers

    Now, try to imagine the chain of ignorance, neglectfulness, incompetence, and just-plain-don't-give-a-shit that had to come into play in order for a thing like this to make it to production. How many people were either suckered by this application's hype, or were themselves the ones doing the suckering. And now consider it happens thousands of times over.

    Your head asplode yet?
     



  • I know, it was designed by a company "to avoid the many pitfalls associated with proprietary technologies, [we] employ open standards, open source and industry-standard technologies."

    On the topic of security: 

    "security is evident throughout the system and accommodates users in a true multi-user modality. Because Infinite Campus is a multiple tier system, it employs an advanced object-based security model that is role and function-based. Individual stakeholders are assigned one or more login password identities. Stakeholders can be assigned to more than one group providing true multi-user modality. When a stakeholder logs in with a particular identity, they see only the tools they have been assigned and only the data that the Infinite Campus business logic associates with those tools."



  • @GuntherVB said:

    Add 'schools' to your list of 'places not to work when I graduate'.

     


    The cake is a lie.



  • @Arancaytar said:

    @m0ffx said:
    @jo-82 said:

    STRG-V
     

    You are German I presume?

    Fun fact: Around here, a lot of people incorrectly call this the "String" key, assuming that that is what the letters STRG stand for. Of course, anyone who has ever used an English-language kezboard knows that the key is called CTRL there, so STRG must stand for "Steuerung" (ie "Control").

     String-alt-entf for the win!
     

    Whoa, they actually translate key captions. I would be rather surprised to see "Ктрл", "Альт" and "Сдвиг" on my keyboard. 8=]



  • @spr said:

    I remember that we hid DOS games in a "hidden" directory (I think we used ALT+255 to create the partition). That way, they wouldn't notice it and only the students who knew how to not tell everyone could play :-)

     

    And I remember having a 40Mb drive with dos having a 32Mb limit, and a very clueless IT staff. After they discovered the new drive D:, we just repartitioned for each letter, until we finally got to Z:

    Then we made a folder called '. ' (with the alt-255 trick) 


Log in to reply