15 replies to this topic

[Websnake]

I was snooping around on their website and found a tiny little bug/exploit that some of you may find of interest. If you go to create a new user it in bold specifies that to make an instructor you need a code and password given to you by your 'system admin' because they purchased the software. I messed around a bit and here's what I basically did. The newuser.asp links go in this order.

Edit: Sorry, wrong order =-\

newuser_type.asp
newuser_join.asp
newuser_email.asp
newuser_password.asp
newuser_secret.asp
newuser_profile.asp
newuser_agreement.asp
newuser_complete.asp

I set my type, then in the URL I set join to email, completely bypassing the need to enter a valid key and password, i went through it with fake information up to agreement, where instead of clicking 'I accept', I set my URL straight to complete. This created an instructor account for me without even validating the ID and password, I tried logging in and it worked.

Just something interesting I found yesterday, hope someone finds a use for it.

Edited by Websnake, 27 September 2006 - 09:11 PM.

[Zeph]

Nice first post.

[anubis26]

Good observation.
By the way, is it just me or is that site running really slowly?

[secholev2]

Good observation.
By the way, is it just me or is that site running really slowly?

I think it's just you buddy. It runs pretty fast for me. but nice first post websnake.

Edited by secholev2, 26 September 2006 - 05:06 PM.

[anubis26]

Good observation.
By the way, is it just me or is that site running really slowly?

I think it's just you buddy. It runs pretty fast for me. but nice first post websnake.

Ahh... it was just someone using the phone... damned QoS on teh router!

[tehbizz]

I hope you know that turnitin.com is NOT for online grading. We implemented it at my last job (at a University) and it's to help guard against plagarism.

Although, this is interesting and I'm sure the admins of turnitin.com will be hearing about it shortly.

[Websnake]

I kind of over exaggerated my hatred for the site, but I just find it annoying when schools like mine start to post grades on one site and now they want to have people turn in papers and assignments on another, it may sound like a good idea but most people just don't know how to properly use computers, so it makes life difficult for the people that do. But that is besides the point, I am glad you find my first post to be a good one. I will continue to try to find problems with their site when I have the time, thank you for hosting a nice site such as this where I can further learn about the parts of the internet not easily available to people (thank god for that).

[Trikk]

I just tried it, seems patched?

EDIT: I can go through the pages etc. just logging in won't work

Edited by Trikk, 27 September 2006 - 04:51 PM.

[Websnake]

I'm trying to repeat it again, to remember what exactly I did, I remember messing with the link, deleting the information from it, so at one point in the registration process I must have and it worked.

This is what the registration link looks like basically.

http://turnitin.com/...601917b14fea713

If you delete everything after newuser_join.asp you get a blank window with a prev and next button, next just goes back to the beginning however.

Play around with it, i'll try to get the exact process down to a tutorial. Sorry for the inconvenience...

EDIT: I just did it again, this is basically exactly what I did:

1) Went to newuser_type.asp from the Main Page, set type to Instructor, hit Next
2) Do not enter anything into ID or password, go to the URL with is newuser_join.asp?svr=#&r=#&session-id=#andletters and change newuser_join.asp to newuser_email.asp, keeping the stuff after the ?, press Enter
3) Enter in an email for login, doesn't have to exist, Next button
4) Enter a password for login, has to include number, Next button
5) Select a secret question and input any secret answer, Next button
6) Enter a first and last name, I used something like Cool Dude, Next button
7) You will reach the agreement page, I did two different things here in an attempt to see which did it
7a) I either just went directly to the URL, newuser_agreement.aspblahblah and changed it to newuser_complete.asp and hit enter
7b) Or, I hit I agree, it brings up a page saying there was an error, hit the browser Back button, then did 7a).
8) It should work, if not, wait a while, they may just take a bit to actually create the account. If this STILL doesn't work, I will keep trying

Update: I have confirmed it takes a few minutes to create the account, so if you get a login failed message don't give up!

If you would like proof this works, try logging in with this account:

lamer[-at-]noob.com
lmfao1

(yes, I know, dumb email, I was in a hurry =-P)

Edited by Websnake, 27 September 2006 - 05:46 PM.

[n3xg3n]

welcome, and nice first post one of the best i've seen

[killer-a]

wow good job! now if we only had an account ID and password so we can actually use it

or that's the impossible part ?

[thebaboon]

wow good job! now if we only had an account ID and password so we can actually use it

or that's the impossible part ?

I think you missed the point.

[Jon]

wow good job! now if we only had an account ID and password so we can actually use it

or that's the impossible part ?

I think you missed the point.

thebaboon is right though.
in order to use this at all, you need to join an account with a school.

if you just make an instructors account, its about as worthless as a students.

[ranjha_1]

This 1 is not working for me....
any 1 plz help 2 day is the last date and i have to submit my report...

make any account and thn give me user name and password...

i`ll be gratefull to you.

regards

[TheFunk]

Sorry bud, this post is almost 7 years old. Any chance you had at doing this is long since gone. This topic will probably also be closed soon. Good luck with your report.

[StankDawg]

oh...wow... I need to find that thread diggers award for this one.