Official Lebanese University Launches a Bunch of Insecure Websites Without SSL and Without Basic Security. Student Data at Risk !

By /

Listen to this Post

The Lebanese University (UL), Lebanon’s only public university and one of the largest in the Arab world, is running multiple official faculty websites without HTTPS/SSL encryption, no basic security headers, and outdated server-side technologies, putting thousands of students’ personal and academic data at serious risk.

This is not a small oversight. These are official government-affiliated educational portals handling student registrations, exam results, admissions, and sensitive faculty data in the health sector, and they are being served over plain HTTP in 2026.

Technical Findings

1. No SSL/TLS — Plain HTTP in 2026

The Faculty of Public Health II website (http://www.fsp2.ul.edu.lb/) is served entirely over unencrypted HTTP. There is no HTTPS redirect, no SSL certificate, and no transport-layer security whatsoever.

This means:

  • All data submitted through the site (login credentials, registration forms, uploaded documents) is transmitted in plaintext
  • Any attacker on the same network (coffee shop, campus Wi-Fi, ISP level) can perform man-in-the-middle (MITM) attacks and intercept or modify traffic in real time
  • Student login sessions can be hijacked via cookie theft
  • Forms collecting personal data (names, IDs, contact info) are fully exposed

2. Outdated Technology Stack

The site runs on classic ASP (.asp pages), a technology Microsoft deprecated over two decades ago. Classic ASP has a long history of known vulnerabilities including:

  • SQL injection via unparameterized queries
  • Path traversal attacks
  • Server-side script injection
  • Information disclosure through verbose error messages

There are no signs of a Web Application Firewall (WAF), rate limiting, or any modern security layer protecting these endpoints.

3. No Security Headers

A quick inspection reveals the absence of basic HTTP security headers:

HeaderStatus
Strict-Transport-Security (HSTS)❌ Missing
Content-Security-Policy (CSP)❌ Missing
X-Frame-Options❌ Missing
X-Content-Type-Options❌ Missing
Referrer-Policy❌ Missing

Without these, the site is trivially vulnerable to clickjacking, MIME-type sniffing attacks, cross-site scripting (XSS), and iframe injection.

4. Exposed Sensitive Documents & Directory Structure

The site exposes direct links to PDF documents and internal directory paths with no access control:

  • Registration forms, admission guides, and circulars are publicly accessible via predictable URLs
  • Image directories and file paths are exposed in source code
  • No evidence of access controls on the Master candidature upload section (/masreg/masreg.asp)

5. Unprotected Student Upload Portal

The Master’s degree candidature upload section allows document uploads with no visible authentication layer, rate limiting, or file validation — a classic vector for malicious file upload attacks or data harvesting.

Affected URLs

  • http://www.fsp2.ul.edu.lb/ — Faculty of Public Health II (Fanar)
  • http://www.fsp2.ul.edu.lb/masreg/masreg.asp — Master candidature upload
  • http://lupayroll.ul.edu.lb/ — Salary & payroll portal linked from the faculty site

Impact

Who is affected?

  • Thousands of Lebanese health sector students (nursing, public health, medical lab, nutrition, environmental health)
  • Faculty staff and administrative personnel
  • Applicants submitting personal data for admission and competitive exams

What can go wrong?

  • Mass student data leaks (names, ID numbers, contact details, academic records)
  • Credential theft for students accessing internal portals
  • Forged or tampered academic documents
  • Phishing campaigns impersonating the university
  • Complete defacement or takeover of the site given the outdated stack

Root Cause: A Systemic IT Governance Failure

This isn’t a technical accident — it’s a governance failure. SSL certificates from Let’s Encrypt are free and take minutes to deploy. Migrating from classic ASP to a maintained technology stack is a matter of institutional will and budget prioritization.

Lebanon’s public universities have long suffered from political hiring practices where IT and administrative roles are filled based on political affiliation rather than technical competence. The result is exactly what we’re seeing: critical public infrastructure maintained by people without the skills to secure it, exposing Lebanon’s next generation of healthcare professionals to entirely preventable risks.

When a country’s health sector produces graduates whose data has been leaked, forged, or tampered with during their education — the damage goes beyond cybersecurity. It undermines the integrity of the entire professional credentialing system.

Recommendations

For Lebanese University administration:

  1. Enable HTTPS immediately — use Let’s Encrypt (free, automated)
  2. Force HTTPS redirects and implement HSTS
  3. Migrate away from classic ASP to a maintained, supported framework
  4. Implement proper authentication on all student-facing portals
  5. Deploy a WAF and conduct a full penetration test
  6. Add security headers across all web properties
  7. Establish a responsible disclosure policy and a security contact

For students:

  • Do not submit sensitive personal data through these portals on public/campus Wi-Fi
  • Use a VPN when accessing university portals
  • Be alert to phishing emails pretending to be from the university

Fact Checker:

✅HTTPS/SSL/TLS is a basic security requirement for protecting users from traffic interception.

✅That a specific website is causing student data leaks.

Prediction:

Prediction:

(+1) If Lebanon had a real government and kicked out terrorist organizations, economic growth would help the tech sector and avoid hiring non-skilled IT workers.

Disclosure

This report is published in the public interest. No systems were accessed beyond standard HTTP requests available to any browser. UnderCode News encourages Lebanese University to address these issues promptly and is willing to assist with responsible disclosure coordination.

Reported by: UnderCode News Security Team

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Explore More: