Computer Laboratory Management System v1.0 - Incorrect access control

2024.08.04
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

# Exploit Title: Computer Laboratory Management System v1.0 - Incorrect access control # Date: 08 July 2024 # Exploit Author: Sampath kumar kadajari # Vendor Homepage: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html # Software Link: https://www.sourcecodester.com/download-code?nid=17268&title=Computer+Laboratory+Management+System+using+PHP+and+MySQL # Version: v1.0 # CVE: CVE-2024-41332 # Tested on: Windows, XAMPP, Apache, MySQL ------------------------------------------------------------------------------------------------------------------------------------------- Incorrect access control in the delete_category function of Sourcecodester Computer Laboratory Management System v1.0 allows authenticated attackers with low-level privileges to perform arbitrarily delete actions. "Vulnerable Code" – ( classes/master.php) function delete_category(){ extract($_POST); $del = $this->conn->query("UPDATE `category_list` set `delete_flag` = 1 where id = '{$id}'"); if($del){ $resp['status'] = 'success'; $this->settings->set_flashdata('success'," Category successfully deleted."); }else{ $resp['status'] = 'failed'; $resp['error'] = $this->conn->error; } return json_encode($resp); } ---> Affected Component: http://localhost/php-lms/classes/Master.php?f=delete_category "Fix for Vulnerable Code": function delete_category(){ // Check if the user is logged in and has an admin role if (!isset($_SESSION['userdata']['role']) || $_SESSION['userdata']['role'] != 'admin') { $resp['status'] = 'failed'; $resp['error'] = 'Unauthorized access.'; return json_encode($resp); } // Proceed with the delete action if authorized extract($_POST); $del = $this->conn->query("UPDATE `category_list` set `delete_flag` = 1 where id = '{$id}'"); if($del){ $resp['status'] = 'success'; $this->settings->set_flashdata('success',"Category successfully deleted."); }else{ $resp['status'] = 'failed'; $resp['error'] = $this->conn->error; } return json_encode($resp); }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top