Utah Valley University (UVU) removed two websites with 17-year-old critical vulnerabilities after the UtahCyberCheck found and reported them.

Located in Orem, UT along the Wasatch Mountains, UVU is a teaching institution that offers a variety of education options for its students. It “is the largest public university in Utah” with 41,728 students enrolled Fall semester 2019 and employs 5,276 faculty and staff. The school offers 91 bachelor’s degrees, 11 masters degrees, and a variety of associates degrees and certificates. Needless to say, UVU plays a large role in educating Utah’s workforce.

Although the faculty’s primary purpose is to teach, they do have flexibility to conduct research. Some avenues of publishing research include UVU’s journals and traditional scholarly journals. In fact, UVU recently boasted that one of it’s psychology studies “was among the most downloaded scholarly articles published nationally in 2018” in a prestigious psychology journal. Another option until recently was to publish information on a university-sponsored website, a method popular among many higher-education institutions.

Research.uvu.edu SQL Injection Vulnerabilities

Research.uvu.edu homepage.

It’s this last option where I found severe vulnerabilities. Research.uvu.edu houses a variety of faculty websites including those on subjects of biology, social sciences, physical sciences, and more. When attempting to search for researcher’s, a term one could expect to find on a higher education website let alone a research website, the server returned an error message. The error returned is consistent with error messages returned by websites that are vulnerable to a cyberattack called a SQL Injection attack.

SQL Injection attacks are when a hacker manipulates website inputs, such as search queries, to gain access to the backend database. Depending on the structure of the database and the level of access the website has, the attacker could view and modify the entire contents of the database. Often this can give attackers access to sensitive information such as a list of usernames and passwords, account information, etc. SQL injection vulnerabilities are so frequent and severe that it remains number one in the widely-recognized OWASP list of Top 10 web vulnerabilities.

A screenshot of the research.uvu.edu homepage search database error.

The homepage search bar was not the only location of potential SQL injection entry points. I also found the same server hosted another website called “UVU Virtual Herbarium” at http://research.uvu.edu:8080.

UVU’s Virtual Herbarium Homepage.

On this website, there were other search fields on various pages, including the “Advanced Search” page.

UVU’s Virtual Herbarium Advanced Search Page.

The search fields checked all produced database errors when searching for flower’s or researcher’s.

UVU’s Virtual Herbarium displaying a database error consistent with a SQL Injection Vulnerability.

At no time did I attempt to exploit the vulnerabilities to confirm access to the database. However, the evidence is overwhelming showing these websites were vulnerable.

Research.uvu.edu Timeline and Risk

From publicly available information, we can determine approximately how long the data was exposed and the risk of unauthorized access.

The oldest archive.org saved page of the research.uvu.edu homepage is December 22, 2008. Another archive.org saved page shows a forum specifically for research.uvu.edu with posts dated 2003 about announcements and website help. Also, the research.uvu.edu website footer across all archive.org saved pages stated, “Copyright © 2003 UVU All Rights Reserved.” A look at the webpage source code shows the homepage was first created April 03, 2003. This places the website go-live date in 2003.

That means for 17 years hackers could easily access the database. The vulnerability is trivial to exploit and easily found. Popular website vulnerability scanners and hacker tools would have no problem finding and automatically exploiting the vulnerability to access the data in the backend database. Given the time this was exposed and the ease to exploit it, the likelihood an unauthorized individual accessed the database is extremely high.

Research.uvu.edu Exposed Data

Which brings us to the question, “What is in the database?” Although we cannot see the database structure, we can make reasonable conclusions of what it contains. Certainly information related to research data was on there such as the Herbarium database. The web application also contained a login page. This indicates faculty usernames, passwords, names, and email addresses are in the database.

The number of records with that information is relatively small. Few faculty appeared to use the website as there were only a few department web pages. The saved forums webpage also indicate that in 2008, there were only 48 forum members.

Overall, the size of the likely breach and who’s data was in the database makes this a minor issue. The few faculty who used the website can easily change passwords, and no other regulated data appears at risk. Instead, this incident serves as a warning flag to UVU and all Utah education that there will be breaches and major cybersecurity issues unless systemic changes are made to protect the assets and data. After all, if this can happen at Utah’s largest education institution, it could happen at any of Utah’s schools.

Really, SQL Injection vulnerabilities are common in education and many other industries. In a 2017 report, a single hacker successfully exploited SQL injection vulnerabilities in over 2 dozen U.S. universities. In 2019, Georgia Tech suffered a breach of up to 1.3 million records due to “a custom web application with a form that was vulnerable to SQL injection.” Many more SQL Injection stories exist.

UVU Response

After I reported the issue to UVU’s cybersecurity team on February 24, 2020, they acknowledged the report the following day. UVU took both websites offline within two days. The UVU cybersecurity team did a great job rapidly responding to and effectively addressing the issues.

UVU did not indicate whether these websites will remain offline or be available again in the future. Nor did I receive any indication that processes will change as a result of this incident. However, between when I reported this issue and today’s publication, UVU appointed Dr. J. Kelly Flanagan as New Vice President of Digital Transformation and CIO. With new leadership UVU will likely see a change in technology and processes at the university.

The UtahCyberCheck project focuses on voluntarily finding and reporting cybersecurity issues of Utah education, nonprofit, and government infrastructure. For more information about the UtahCyberCheck project, you can read its announcement blog post.

Featured photo credit Photo Credit: Ben P L https://www.flickr.com/photos/88663091@N04/