Gradebusters / Making the Grade, or something with names like that, used to use a Java applet to "secure" the web site with student grades. You could just download the applet and decompile it to figure out their trivial encoding of the IDs and PINs (which were just params in the HTML).
Or you could figure out just an ID (typically a student ID number, although more than a few were social security numbers, apparently), and use "1066" since they had a backdoor PIN in quite a few releases. Battle of Hastings, eh?
Want to know how users did web security instead of asking their admins for a proper .htaccess/server-level config setup? That's how.
Heh, I've seen a great example of "high end" software for partitioning servers for a specific vertical (so multiple hostile customers could share the same hardware). Java applet to provide "rich" experience cross platform. OK, debatable.
Security? On start, the Java app downloads a connection string to the MySQL DB. Which contains the root login for both SSH and MySQL. Then it prompts for your password and queries the Users table to see if you're allowed. And it helpfully logs this info into user's temp directory. "Ah yes, this is a known limitation in our current design."
Edit: They repeatedly lied to customers about various security fixes (I didn't do full disclosure on the numerous issues I found). They didn't care as they were sold for a world of money, then the entire product line was nixed. Most customers don't seem to care (I've found similar stuff across the board); hackers are targeting lower hanging fruit for the time being.
I've worked with Moodle adding custom reports and features to it. The shop where I worked at was stuck at Moodle 2.x and couldn't upgrade because it was a clusterfuck of custom code mixed with outdated plugins.
I feel you.
It worked, but god damn; I literally quit that job because of the stress of working with Moodle day in day out.
It's extremely hard to break into because like healthcare these gigantic institutions where nobody can get fired made choices ten to twenty years ago that have now become "the way it's done" and they won't accept a better solution.
In fairness, my university changed systems every year or so while I was there. They all sucked, so sticking with your existing solution is possibly not the worst decision.
Blackboard is a known aggressor with its patent portfolio and cash. They will acquire and extinguish or just kill you with a patent lawsuit if you present a significant threat to their products.
Or you could figure out just an ID (typically a student ID number, although more than a few were social security numbers, apparently), and use "1066" since they had a backdoor PIN in quite a few releases. Battle of Hastings, eh?
Want to know how users did web security instead of asking their admins for a proper .htaccess/server-level config setup? That's how.