إرسال #700465: Sourcecodester Online Student Clearance System Project 1.0 /Admin/delete-fee.php Broken Access Controlالمعلومات

عنوانSourcecodester Online Student Clearance System Project 1.0 /Admin/delete-fee.php Broken Access Control
الوصف# Sourcecodester Online Student Clearance System Project V1.0 /Admin/delete-fee.php Broken Access Control #### NAME OF AFFECTED PRODUCT(S) - Online Student Clearance System #### Vendor Homepage - https://www.sourcecodester.com/php/17892/online-clearance-system.html #### submitter - yudeshui #### Vulnerable File - /Admin/delete-fee.php #### VERSION(S) - V1.0 #### Software Link - https://www.sourcecodester.com/sites/default/files/download/Senior%20Walter/student_clearance_system_aurthur_javis.zip PROBLEM TYPE ### 1\. Unauthorized Data Deletion This vulnerability is found in the **Online Student Clearance System** project. #### ???? Vulnerable File Location `Admin/delete-fee.php` (Lines 6-10) #### ???? Vulnerable Code ```php error_reporting(0); include('../connect.php'); include('../connect2.php'); $id= $_GET['id']; $sql = "DELETE FROM fee WHERE ID=?"; $stmt= $dbh->prepare($sql); $stmt->execute([$id]); header("Location: add-fee.php"); ``` #### ???? Description The script `Admin/delete-fee.php` executes a `DELETE` query on the `fee` table based on the ID provided via the **`GET`** parameter `id`. This is a **Broken Access Control** vulnerability, as the script **lacks any authorization checks** (e.g., verifying if the user is logged in or has administrator privileges). Any user, including unauthenticated users, can execute this script by directly accessing the URL (e.g., `/Admin/delete-fee.php?id=123`), leading to unauthorized data deletion. #### ????️ Suggested Mitigation Implement a strict **authorization and authentication check** at the beginning of the script. Ensure that only users with the appropriate administrative role are permitted to execute the deletion operation. ----- Is there anything else I can help you translate or format?
المصدر⚠️ https://github.com/rassec2/dbcve/issues/8
المستخدم
 yudeshui (UID 91129)
ارسال24/11/2025 07:34 AM (7 أشهر منذ)
الاعتدال07/12/2025 09:02 AM (13 days later)
الحالةتمت الموافقة
إدخال VulDB334649 [SourceCodester Online Student Clearance System 1.0 Fee Table /Admin/delete-fee.php معرف تجاوز الصلاحيات]
النقاط20

التالي نظرة عامة السابق

Want to know what is going to be exploited?

We predict KEV entries!