إرسال #847515: SourceCodester (ampoldev) Online Examination & LMS (CICT Portal) by ampoldev 2026-05-25 Improper Privilege Managementالمعلومات

عنوانSourceCodester (ampoldev) Online Examination & LMS (CICT Portal) by ampoldev 2026-05-25 Improper Privilege Management
الوصفThe public registration form at register.php renders an HTML <select> dropdown with role values (student, instructor). The server-side handler (auth_process.php) reads the role value directly from the POST body and inserts it into the users table without validation. An unauthenticated attacker can intercept the POST request and change the role parameter to any value, including "super_admin", gaining immediate administrative access to the entire system. No server-side allowlist is enforced. The vulnerability requires zero existing privileges and is exploitable by any internet user who can reach the registration endpoint.
المصدر⚠️ https://pastebin.com/Z4i5MGxk
المستخدم
 ameenkbrd (UID 98192)
ارسال04/06/2026 08:56 AM (1 شهر منذ)
الاعتدال04/07/2026 09:55 AM (1 month later)
الحالةتمت الموافقة
إدخال VulDB376307 [SourceCodester Onlne Examination & Learning Management System 1.0 Registration Endpoint register.php role تجاوز الصلاحيات]
النقاط17

Interested in the pricing of exploits?

See the underground prices here!