Sandbox

level 80 developer September 4, 2013 at 4:21 pm

Vulnerabilities of the site edu.tatar.ru

Hello, habr! I decided to write this topic because previously I looked for vulnerabilities on this “favorite” site for all schoolchildren and found them, after which I sent them to technical support, where they were actively (or not so actively) corrected. But they did not take into account the latest vulnerability found, and therefore, with only pure intentions, I decide to publish one old bug and one new one, which was not considered a bug. If you have read this far, then welcome to the hack.

I apologize in advance if the photos suddenly won’t load. I don’t know of a hosting that can handle the amount of habraaudience.

It is on this site that grades are posted for all subjects today in Tatarstan, and, possibly, in other regions of Russia. This particular site is constantly not working at school. It is this site that every second teacher curses. I ask you to love and favor -

First, a rather old bug that I sent to technical support in the middle of that academic year, which is no longer relevant, but worked until September 1 of this year. You can skip this part, it's not that interesting, it's just an XSS injection.

In fact, everything is quite simple, you just follow this link and add a simple XSS injection to it -

Do not copy, but rather remember, since 1 character has been replaced for correct display on the hub.

As a result, any user familiar with XSS could do anything. Now there is a new vulnerability that is still working (04.09.13-16:02 Moscow time).

It is based on a rather banal substitution of numbers; the original address can be seen on the screenshot, but I reduced it to the minimum acceptable for the bug to work.
As you understand, we do not need to change the entire link, but only numbers after %2F, for example
/show/?img_file=%2Fupload%2Fanketas%2F100005.jpg
change to
/show/?img_file=%2Fupload%2Fanketas%2F100004.jpg
thus getting more and more new photos (I didn’t know that so many chubby people like to upload their photos to profiles on edu.tatar).

Thank you all for your attention.

Tags: edu.tatar.ru, education, xss, injections, compromise, photo

This article is not subject to comment, since its author is not yet a full member of the community. You will be able to contact the author only after he receives

Remote monitoring of the educational process allows parents not only to timely receive up-to-date information about their child’s progress and check the electronic diary and grades, but also to better understand the methods and specifics of teaching. Electronic education (edu Tatar dot ru) is a government service portal that makes it convenient to monitor the lives and successes of children at school.

Nomenclature

The website edu.tatar.ru has a complex nomenclature, but is quite easy to manage. When you go to its main page, four buttons appear at the top of the site header:

• Organizations. When you click on it, a list of regions opens in alphabetical order, from which you need to select yours. After selecting the region, a page with several buttons opens again - Additional, Preschool, School, Vocational education and others educational organizations, from which you need to select the type of interest. After clicking on the selected button, a list of organizations of this type connected to the system will open. Moreover, each organization of Tatarstan in the list is presented in the form of an active link, by clicking on which you can find out the latest data;
• To the student. When you press this button, it opens electronic list virtual elective courses in school subjects (exact sciences and humanities, art, etc.). When you click on the link, a form will appear to fill out, which will allow you to enter the site. You can register yourself or log in using your unified identification and identification data. After authorization on the RT website, access to online courses opens. This section also contains an electronic diary;
• . Similar to the previous section, this one contains additional materials and guidelines for a teacher in a particular subject, as well as recommendations for methodological work, extracurricular activities. After going to the selected subsection, as in the previous case, a form opens to fill out, with which you need to log in to the site;
• Distance education. This section of government services on the electronic education portal of the Republic of Tatarstan edu.tatar.ru contains materials and necessary data for the implementation of distance education, which can be carried out at home on a computer. After clicking on this button on the main page, an authorization form on the RT resource opens. After filling it out, you will have access to necessary materials. Sometimes analogues of electronic diaries are presented in this section.

Navigation through the Tatarstan e-education resource is simple. You can find this or that function quite quickly. Convenient division into sections and a minimum of unnecessary links on the pages help quickly and easily navigate the portal, even for those who have visited it for the first time.

Authorization

Most functions of the website are available only after authorization on the portal. The only exception is information about organizations of Tatarstan, presented on the resource in the public domain. In order to find out the latest current data about their activities, there is no need to log in. Almost all other functions are available only after logging in.

In order to enter the website edu.tatar.ru, you can proceed as follows:

1. On the main page of the site on the right side there is electronic form to fill out, in which you must enter credentials to use the resource (data is issued by the school administration or class teacher);
2. You can also log in via - Unified system identification and authentication, for this you need to click the link under the main form to fill out;
3. A form will open in which you need to fill in the fields “ Mobile phone" and "Password", with the help of which authorization will be carried out;
4. On the same page you can select the item “Log in using SNILS”;
5. Another electronic form will open for you to fill out.

After filling out all the required form fields and clicking the “Login” button, the visitor gains access to all functions of the Tatarstan resource edu.tatar.ru. At the same time, you can enter the site both on the main page and on any of those where materials are presented that are available for viewing only after authorization.

Electronic diary

Progress testing is one of the most common reasons why parents use this site. In order to check school grades via the Internet, you need to go to the website and log in by filling out the login form. After this, proceed according to the algorithm:

1. Select the “Student” link;
2. Find the relevant section;
3. Select your educational institution by name;
4. Enter the last name or find it in the list of students;
5. The necessary data will appear.

In this section you can find out not only the grades of the Tatarstan student, but also information about attendance. This section also contains a list of additional classes, mandatory or optional, to attend.

In addition, the section is equipped with the following useful functions:

1. Information about homework;
2. Methodological recommendations for the educational process;
3. Notes and notes (as in a paper diary);
4. Food menu in the canteen;
5. Quick communication with the teacher through correspondence.

Having an electronic diary for food.tatar.ru simplifies educational process, both for parents and for the child.

On current moment distance development, as well as an increase professional qualifications- This is one of the most common teaching methods. In the Republic of Tatarstan, the web service Food Tatar dot ru is very popular among schoolchildren, teachers and lecturers.

Directions of distance learning and development

Currently, Food Tatar dotka ru is divided into four main directions:

1. Electronic education for elementary, middle and high school students;
2. Improving teaching skills for teachers and lecturers using Internet technologies;
3. Improving education for organizations;
4. Remote e-learning people with low vision.

Materials and information

On the site, based on the direction, it is located large number various educational materials, for example:

1. Virtual electives;
2. Links to web resources and portals with up-to-date information;
3. Information and contacts of additional educational institutions, as well as institutions specializing in preschool development.

To obtain a complete list of information and access to the material, you must register and go to personal account.

FOOD TATAR RU - EDUCATION IN TATARSTAN (HOW TO CREATE AN ELECTRONIC DIARY)

IN lately Electronic education is very popular among people who want to continue their education. Interesting and useful experience can be found on the website food Tatar ru, how to get the so-called electronic education.

This website contains absolutely all educational institutions of the Republic of Tatarstan: from preschool education to professional institutions. They all have a clear structure by region. The website food Tatar ru electronic education provides such complete information that anyone can choose the necessary educational institution for themselves or their children. The site provides an opportunity to get acquainted with teachers and teachers, with the program of study of interest in a particular educational institution, as well as submit an application for admission to the chosen institution.

The food Tatar ru website, dedicated to e-education, contains the most complete information about ongoing events and various competitions that take place in the field of education in the Republic of Tatarstan and are aimed at increasing the level of knowledge and expanding the educational horizons of students in the region.

Edu is essentially an electronic diary of digital education. Any educational institution of the Republic of Tatarstan can take part in this useful project. You just need to fill out the e-education card with the necessary content for Tatar Ru food. Each school in the Republic of Tatarstan has its own specially designated place for creating its own Internet page with a management system.

The administrator’s work is significantly simplified with the help of an Internet resource where an electronic diary is filled out educational institution. To fill out a page for food Tatar ru electronic diary, you do not need to buy or pay for a website. The administration system is very simple and allows anyone to easily cope with the proposed capabilities of the site builder.

To avoid any problems with uninterrupted work with the Tatar ru portal, an electronic diary to be filled out must be created in the Internet Explorer browser. Other browsers, such as Safari or Opera, sometimes do not work very correctly with edu and filling out an electronic diary. Sometimes problems arise, such as the inability to save results, inaccessibility of control buttons, and others.

First you need to log in to Tatar ru, indicating your username and password. An electronic diary for the administrator will open when he, in turn, goes to edu.tatar.ru/admin from his page.

Eating Tatar ru electronic educational diary offers a walkthrough distance course training in a variety of disciplines. Not only residents of the Republic of Tatarstan, but also other visitors to the website can take part in such distance education. A necessary requirement for food Tatar ru electronic diary is mandatory registration, which allows you to log into your personal account and from there manage your learning process.

The site will be very useful not only for students, but also for teachers, since it contains all the necessary guidelines for working with children and for correctly presenting new material in any discipline. To do this, you also need to go through the usual registration procedure.

ELECTRONIC EDUCATION IN TATARSTAN

Secondary schools no longer need to think about how to create their own website, they do not need to create the source code for their website project, pay a lot of money for posting information, and then for maintaining the school website.

Now that's it secondary schools The Republic of Tatarstan can post all their data on the website absolutely free of charge edu tatar ru, where is everything detailed information entered into an electronic diary. The administration system on the website is very simple. It is available to any teacher who can fully handle the placement necessary information.

Currently, access to the Tatar ru portal, where all electronic diaries are located, is limited.

In order to enter the edu tatar ru portal with electronic education as a guest and view the information on your Internet page, you first need to type the address edu.tatar.ru and enter the login “tatedu” and password “tat09” there.

But if you want to log into the edu tatar ru system, which deals with electronic education, as an administrator of your page or page educational institution, then you need to dial the address edu.tatar.ru/admin. In this case, you can find out the password and login by calling the following phone number - 246 26 07.

To start working in the edu tatar ru system, in which you can fill out the electronic diary of your educational institution, you must become familiar with detailed instructions on using the system. Otherwise, various errors may occur, leading to duplication of work.

In the address bar, type the address edu.tatar.ru/admin/. An authorization form will immediately appear in front of you. When filling out an electronic diary, a user of the Tatar ru system first enters a personal login and password. After entering them, you must click on “Login”. If you performed the actions correctly, the user must get to the “Personal Account” page. If your login and password are entered incorrectly, you will be immediately notified of an error.

Problems of working on the website edu tatar ru, dedicated to electronic education, and simple ways their solutions:

To connect a mail agent on your computer via a proxy server, you must specify the proxy server in the settings, as well as the login and password issued to the user in the EovRT system;

problem that has arisen: after authorization has been carried out, desktop computers (which are connected via wires to local network via twisted pairs) sometimes freeze and the entry “authorization in mail” pops up. You can solve this problem as follows: type the address edu.tatar.ru, press ENTER (without \logon). After these manipulations, the questionnaire will immediately open;

Sometimes parents are faced with the problem of transferring their children from one class to another in the middle of the school year. In this case, click the “MOVE” button in editing the student’s profile;

If you use a laptop, the connection may often be interrupted and a window with the entry “NO ACCESS” will appear. A break may occur when a new laptop is connected to the system. It has already been noted that after about 50 seconds a reconnection occurs, so it is better to wait a minute after the connection is lost. Reconnection in Windows occurs automatically. However, if this does not happen, then the following actions must be taken:
1) update search WI-FI networks,
2) first turn it off, and then immediately turn it on laptop WI-FI(on a ray computer, press the key combination FN + F7 - highlighted); 3) as a last resort, restart the computer, as a result of which the connection may be restored again;

since there is no ready-made curriculum stencil on the site, you can completely make your own from scratch. To do this, you need to log in as the “My School” administrator user. Then going to the section “ Curricula", find "Individual Plan" and enter all items by class (SETTINGS appear as soon as the checkbox is checked and the current positions are saved). The next step is to go to the CLASSES section. Select the created Individual Plan for the class. Then you need to click on “save” and go to “SCHEDULE”. Subjects for teachers are assigned in the “Employees” section;

The sequence of “DIVISION INTO GROUPS” will be as follows. First you need to come from the “School Principal”. “My School” will appear, select “Classes”, then “Pg”. After this, we add “Class Subgroups” for all subjects. We save everything. Then select “List of classes”, “Teacher” and calmly begin to distribute students into groups. We save all the information again. Since teachers are assigned corresponding lessons (“Staff”), the schedule will indicate groups. Now distribute the teachers into groups.

2) it’s better to install 10.7.37.2:8080 - a static proxy, and not http:\\proxy.sch (possibly 10.7.37.3:8080);

3) the magazine will appear if you log in as a school director and approve everything. It is necessary to add all the teachers and students, distribute subjects among teachers, enter the class schedule and approve everything. Only after this a journal will appear, and students will have a diary;

4) on desktop computers it is better to create profiles as for students, and install them there in the same way as on laptops, while saving them. Later, don't forget to disable saving passwords in your browser. It is necessary to delete the previous settings from govtatar, this can be done through the “Control Panel - Accounts”;

5) do WI-FI connection automatic;

6) in order to open the Internet on laptops via WI-FI, you need to go to edu.tatar.ru first without a proxy, but using your password and login. Click on the button

Almost every Russian region has already managed to implement a lot virtual services, designed to simplify citizens' access to the majority public services. And one of the most important parts of the informatization process was the development of the most convenient and functional educational portals. Thus, the electronic diary of the Republic of Tatarstan allows registered users to receive a wide range of information that can significantly improve the quality of education.

An important distinctive feature of the Tatarstan educational online service is the presence of not only standard basic information about a child’s education, but also the presence of special educational resources designed to simplify students’ access to knowledge. Schoolchildren and their parents will also like the convenient interface, which allows you to quickly move between pages and instantly open the necessary tabs.

To understand how important and useful the new service will be, you need to understand its main purpose. It is not difficult to understand why the e-education portal was created, because main goal The goal that was pursued during its creation is to simplify access to educational information.

With its help, students, teachers and parents will be able to constantly stay informed about everything that is happening at school, without worrying that some important news will remain unknown to them. One of the most important positive aspects digital service can be called its accessibility. To access the virtual magazine, just visit the site and enter a password. That is, to log into the system you only need access to the Internet.

Another advantage that cannot be ignored is the completeness and reliability of the information available on the site. Most of the data is added to the digital diary by teachers, so everything written in it can be trusted. At the same time, the student will not be able to lose or forget the diary, so as not to receive a bad grade. The virtual magazine always remains at hand.

Diary functionality

The next point that must be understood is related to the most important functions electronic diary of the Republic of Tatarstan, available to registered users. Currently, authorized visitors to the portal are able to:

• View grades and get performance information (including GPA based on at least three grades);
• monitor the student’s attendance at lessons;
• clarify assigned homework;
• get acquainted with the schedule and exact call schedule;
• maintain feedback with teachers and receive messages from them;
• use the training base available on the website;
• learn about interesting events and planned competitions;
• edit some personal data.

That is, the described service is an almost complete digital copy of the usual paper diary schoolboy. But its functionality and capabilities are somewhat broader, which makes it more useful and convenient to use.

Registration

One of the most important features electronic diary of the Republic of Tatarstan edu.tatar.ru is the registration procedure established by the developers. No user will be able to create their own account on one's own. To be able to use the digital diary, you must provide all important personal data to the administrator responsible for registration. If this data is enough to create an account, he will do everything on his own.

To obtain a login and password to enter the portal, you must personally visit class teacher child and ask him for the mentioned combinations. Sometimes the password is held by a person specially assigned to work with the system. But this fact will also have to be clarified when talking with the class teacher.

Electronic diary of the Republic of Tatarstan - enter “edu.tatar.ru”

Having decided on the correct registration procedure, you can proceed to studying the authorization procedure in electronic diary Republic of Tatarstan. Logging into your personal account is extremely simple and will definitely not cause huge difficulties for its owners. To visit your personal account you will need:

1. open the official website on the main page;
2. enter the previously obtained login and password combinations into the fields located on the right;
3. Click the button labeled “login.”

After that, all you have to do is wait for the new page to load, and the login to your personal account will be completely completed. Parents and students will have the opportunity to work in the system and view the information they need.

Login to your personal account via ESIA

In addition to the indicated approach to visiting a personal account, those wishing to log in can use the second method. It allows you to quickly obtain the necessary information without visiting the portal edu.tatar.ru ( electronic magazine). Login to your personal account is carried out through the official government services portal. At the same time, you can visit the authorization page either directly by immediately opening the State Services website, or by first looking into the educational service. In any case, users will have to:

1. select as a method of logging into the Unified Identification System;
2. enter the password and login for the state portal;
3. select “educational” from the proposed list of services;
4. enter the necessary data about the educational institution and the student;
5. request the necessary information.

It is important to emphasize that in some situations the described process may have individual features and nuances that do not affect general order authorization.

Version for the visually impaired

A big advantage of the educational service is the presence of a special convenient option for viewing the necessary information for the visually impaired. To switch to this mode, just click the corresponding inscription on the right side of the top panel.