The situation is like this. At the end of last month, I participated in the third programming competition of Chongqing University of Business and Technology and won the first prize. I also qualified to participate in the Chongqing College Students Programming Competition. This is the first time that freshmen have participated in this competition, and it is also the first time that a freshman has won the first prize (that's me).
I'm awesome
When participating in the competition, it is definitely not just for the sake of participating, but also to earn some extra credits as a college student.
According to the regulations of our school, the application for "New Confucian Merchants" credits (extracurricular credits) is done on a system called "Youth Business University".
Following the instructions, I opened the advanced "Youth Business University" system, came to the homepage, and saw a familiar UI style, which brought back good memories...
Oh no... Could it be...
Why does it look so similar to MUI (actually it is)...
This reminds me of the wonderful days when I used BlueBird to write projects. In those beautiful and naive times (I mean my junior high school days)... In the blink of an eye, I graduated from junior high school, and the homeroom teacher asked me to collect the high school entrance exam scores of my classmates. At that time, there was no Tencent document collection form, so I developed a graduate information entry system using BlueBird. Well, it was a very secure frontend-only system...
Oh... Frontend-only? This shouldn't be...
It really is frontend-only, with no authentication whatsoever, and can freely access the data of various accounts. It can even access the administrator...
Since I'm here, let me show off as an administrator:
No need for any keys, just knowing a userid (student ID) with administrator privileges allows you to roam freely in the world of Youth Business University. How wonderful
Due to the numerous flaws in this system, it is not easy to list them one by one, so I'll just mention a few:
- The entire system has no authentication process and all data is transmitted in plain text. This is a major development taboo, no need for further explanation. It's like having the password for your home lock be your family members' names, and anyone who knows their names can enter.
- The entire system is developed purely frontend. Well, even though it may not be a major taboo, I wouldn't dare to develop like this when I was in junior high school.
The interface is too ugly
Overall, my evaluation of this system can be summarized in the diagram below:
It is really hard to imagine that a credit management system that affects whether students can graduate or not is so fragile. If one day someone with malicious intent wants to manipulate the data of any student in this system, the security of this system is truly vulnerable. Perhaps this has already happened before, but we just don't know, after all, this system doesn't even have an operation log.
As a good student, I immediately reported the security vulnerabilities of this small system to the Youth League Committee within the system, hoping that they will see it soon (although it may take a long time, but during this time we can also learn about this system).
If the Youth League Committee doesn't notice it, then I'll report it to the relevant departments of the school when I have free time at the end of December.