TAR UMT — database & admin attack surfaces under one portal
Tunku Abdul Rahman University of Management and Technology (TAR UMT) is a major Malaysian higher education institution with a rich history evolving from TAR College. The institution manages student records for tens of thousands of students across multiple faculties, financial aid and fee processing, academic transcript generation, LMS (Moodle-based e-learning platform), examination management systems, library systems, hostel and accommodation databases, staff payroll and HR systems, and administrative dashboards.
Database access (SQL injection, exposed DBMS endpoints, backup file exposure) and admin panel compromise are the highest-value attack vectors — they unlock PII for the entire student body, fee/payment redirects, grade alteration capabilities, and downstream lateral movement into campus infrastructure. Each proven critical pays $5,000 USD.
In scope: tarc.edu.my web portals, APIs, LMS, admin dashboards, backend services, and any other TAR UMT-operated infrastructure.
Civil exclusions only: blackmail, mass student harassment, brute forcing wholly unrelated external bank accounts. Those bans are universal — not SKU-level scope fences.
1️⃣ Narrative kill chain tying root cause → exploit steps → observable impact 2️⃣ Proof the attack succeeds (replayable scripts, fixture logs, video with signatures, scripted harness). Narratives without a working exploitation path are graded below payout threshold.
Why probe TAR UMT?
Flat $5K critical payouts
No spreadsheet bingo — validated critical exploits with reproducible payloads earn exactly $5,000 USD.
Database & admin priority
SQL injection, exposed DB interfaces, SSRF to internal databases, and admin panel takeovers are the highest-value targets — instantly critical.
Responsible disclosure halo
Coordinated disclosure with timestamps, private out-of-band communication, and coordinated publication credit after fixes ship.
$5,000 per validated critical
There is exactly one bounty amount on this ledger: validated critical findings pay $5,000 USD each. Novel low-severity items may qualify for goodwill credit but not this stipend. Paid rows require attacker-readable kill chains and replayable exploitation artefacts (Burp exports, parallel request harnesses, SQLi dump captures, SSO token forgeries, signing traces…).
Unauthorized database access (SQLi, exposed DBMS, backup leaks); admin panel takeover granting full system control; SSO bypass granting admin-level access across TAR UMT’s portfolio; payment gateway manipulation causing silent fee reroute; mass PII exfiltration of academic or personal data; persisted RCE in portal or LMS control plane; break-glass access to signing keys or database credentials.
- Read/write access to student records database (grades, PII, enrolment data)
- Admin dashboard authentication bypass or privilege escalation
- Payment callback abuse causing silent fee reroute or duplicate credit at scale
- Break-glass SSRF egress from TAR UMT infra to lateral cloud or on-premise systems
Illustrative map (non-exhaustive)
These rows do not impose limits — they’re shorthand for tagging reports. Anything TAR UMT operates, sponsors, or delegates authentication for sits under this umbrella. Submission tarc.edu.my triggers the timetable below.
| Surface | Class | Critical payout |
|---|---|---|
tarc.edu.my, portal HTML/JS/CSS, *.tarc.edu.my |
Web · CDN | $5,000 / validated bug |
| Student APIs, LMS integrations (Moodle), SSO endpoints (SAML, OAuth, session cookies) | Backend | $5,000 / validated bug |
| Fee payment gateway, checkout redirects, financial aid systems | Payments | $5,000 / validated bug |
| Internal databases, admin dashboards, exam results, transcript generation | Database | $5,000 / validated bug |
| Hostel management, library systems, research repositories, staff portals | Admin | $5,000 / validated bug |
Everything TAR UMT operates — no exclusions list
Sandbox student portals, canary databases, Grafana for campus systems, Telegram/bot hooks for admin alerts, partner LMS or library integrations fronted by TAR UMT — all eligible when critical impact reproduces. Database access and admin panel compromise are the primary targets.
- Vanity subdomains CNAME’d into TAR UMT edge — show DNS/traffic proof in your write-up.
- Mobile app SDKs or widgets TAR UMT ships to students/staff
- Research grant management systems operated under tarc.edu.my
- Internal database endpoints, phpMyAdmin, exposed DBMS ports, backup files
- IoT or smart-campus callbacks verified with TAR UMT-issued secrets
Rules of engagement
- Prove exploitation success. Provide scripts, HARs, parallel request captures, or signing traces showing data/state impact — not paper analysis alone.
- Number your hops. Session/API primitive → escalation → database/admin/payment integrity break.
- Minimize real-user blast radius. Prefer mirrors, low-value accounts, and reversible payloads when demonstrating theft-class bugs.
- Private coordination first. Use official intake on tarc.edu.my before public threads.
- Duplicate fairness. First qualifying PoC wins; followers close acknowledged-only.
How to submit a report
Use the security / vulnerability disclosure contact published on https://www.tarc.edu.my/ (security@tarc.edu.my is a common guess — verify on the live site before emailing). Template below.
# Title
[Critical][Exploit-Proven] <tight title>
# Executive summary — database/admin/student impact in one paragraph
# Severity self-classification → must map to TAR UMT critical definitions above
## Attack chain narrative (numbered, no gaps)
1. Preconditions (session, API key tier, endpoint, account ID)
2. Entry primitive — HTTP/WS line + signature headers
3. Pivot(s) → privilege/data/payment escalation
4. Final hop → DB exfil / admin takeover / payment diversion / infra takeover equivalent
## Successful exploitation evidence
• Scripted replay showing record/payment impact
• Paired HAR/PCAP demonstrating cross-user data access
• SQLi dump output or database connection proof
• Signing or token trace if SSO/crypto primitive involved
# Remediation suggestion (optional but appreciated)
• Short description of expected fix orientation
# Attachments (zipped, <10 MB, no malware)
- PoC script.py, capture.har, logs/Python vignette · pair with reproducible exploit replay
Pseudocode illustrating admin panel session replay leading to database access — meaningless without attaching HAR/logs proving an unauthorized request retrieves protected data inside tarc.edu.my.
# BUGGY: admin panel trusts session cookie without IP/scope binding
import requests
BASE = "https://tarc.edu.my/admin/api/v1"
SESSION = "eyJhbGciOiJIUzI1NiIs..." # captured admin session
def export_students(db_table):
resp = requests.get(
f"{BASE}/export/{db_table}",
headers={"Cookie": f"tarc_admin_session={SESSION}"}
)
if resp.status_code == 200:
return resp.json()
return None
# Proof: attach HAR showing 200 response with student records
# Proof: attach DB dump snippet showing exfiltrated rowsFrequently asked questions
Is anything actually “out of scope” besides illegal stuff?
No discretionary product carve-outs — only universal legal/ethical lines (crime, harming unrelated civilians, ransomware, facilitating academic dishonesty, etc.). If TAR UMT hosts, proxies, signs, or documents a surface technically, testers can escalate until triage disqualifies specifics.
Do speculative write-ups without a working exploit get paid?
No. $5K critical payouts require both a complete kill-chain narrative and evidence of a successful attack path (replayable artifacts). Theoretical write-ups are not compensated under this program.
Are database-related findings automatically critical?
Exposed database endpoints, SQL injection with data exfiltration proof, or admin panel access that leads to database control are critical by default. The $5K reward applies when the kill chain from initial vector to database impact is complete and reproducible.
Can I test on live TAR UMT systems or should I mirror?
Both. A self-hosted staging mirror reduces noise and avoids tripping rate-limit/WAF alerts. However, live reproduction with low-impact student accounts and minimal data extraction is accepted — as long as your PoC does not degrade TAR UMT services or expose real student PII unnecessarily.
How are duplicates handled?
First reporter with a complete kill-chain and reproducible PoC receives the $5K bounty. Subsequent near-identical submissions receive acknowledgement-only credit. Substantially different attack vectors against the same underlying flaw may be treated as separate findings — disclose in your narrative.
How does TAR UMT differ from UTAR for bounty purposes?
TAR UMT (tarc.edu.my) and UTAR (utar.edu.my) are separate legal entities with independent infrastructure, domains, and security boundaries despite sharing a namesake founder. Findings on one do not imply access to the other. Submit TAR UMT reports against tarc.edu.my assets only — cross-boundary claims require separate PoCs.