This article provides a professional overview of a security analysis conducted in 2023 on the Schulportal Hessen (Hesse School Portal). The engagement led to the discovery of several critical vulnerabilities, which were responsibly disclosed and have since been remediated. It is important to note that all events described occurred in 2023, and all identified security gaps have been closed. Our interaction with the Schulportal Hessen team was consistently productive and professional, demonstrating their commitment to securing the platform.

The investigation uncovered a chain of vulnerabilities originating from software flaws and system misconfigurations. These issues, when combined, allowed for the escalation of privileges from an initial low-level entry point to full administrative control over approximately 100 servers within the portal's infrastructure. This included access to a network connection within the Hessian Central Data Processing Center (HZD).

Vulnerability Discovery and Impact

The Schulportal Hessen utilizes widely adopted open-source platforms, including Moodle for learning management and Mahara for student portfolios. The initial entry point was established by identifying vulnerabilities within third-party plugins integrated into the portal's Moodle instances. These flaws permitted the unauthorized reading of sensitive files from the server, including system configuration files.

A pivotal discovery was a significant configuration oversight. A database management interface, intended for internal use, was exposed to the public without requiring authentication. By leveraging the information from the previously accessed configuration files, it was possible to gain access to the portal's central user database. This database contained information about all portal users, including students, parents, teachers, and administrators, along with their associated schools, names, and hashed passwords.

Escalation to Full System Control

With access to the central user database, an old administrator account was identified and temporarily compromised to gain high-level administrative privileges. This level of access permitted a thorough review of the portal's internal services, such as its source code repositories and documentation platforms.

The final and most critical discovery was made on an internal file-sharing service. A master SSH key was located, which granted complete, unrestricted administrative (root) access to every server in the Schulportal's network. This effectively gave us control over the core infrastructure of the platform. Given that this access could potentially extend into the broader HZD network, the potential for significant disruption was considerable.

Resolution and Conclusion

Upon discovery, all vulnerabilities were immediately and responsibly reported to the appropriate authorities. The Schulportal Hessen team acted swiftly to address and remediate each of the identified issues. The communication throughout this process was positive and constructive, indicating that system security is a high priority for the organization.

This engagement highlights the critical importance of regular, in-depth security audits and robust access control policies. It also serves as a positive example of how the use of open-source software can facilitate independent security research, ultimately leading to stronger and more secure digital infrastructure for public institutions.