| शीर्षक | ealpha072 Student-Management-System 1.0 Unauthenticated Access |
|---|
| विवरण | The admin panel fails to enforce any authentication checks on its pages. The `config.php` file, which is included in the administrative backend, **comments out** the crucial `session_start();` call:
```php
<?php
//session_start();
```
Because the session is never started, any later checks that rely on $_SESSION variables (such as verifying a logged‑in admin) will always see empty session data. Simultaneously, dashboard.php (and presumably other admin pages) simply includes a shared header without verifying that the user is authenticated:
```
<?php
require "../public/header.php";
?>
```
Although the login logic (config.php lines 68–75) writes to $_SESSION upon successful authentication, without session_start() the session is never initialised, and no persistent login state can be created. Consequently, any unauthenticated user can directly visit admin/dashboard.php (or any other admin page) and be served the full administrative interface with no redirect or denial. |
|---|
| स्रोत | ⚠️ https://github.com/ealpha072/Student-Management-System/issues/2 |
|---|
| उपयोगकर्ता | AAAAAlln1 (UID 98137) |
|---|
| सबमिशन | 16/05/2026 08:43 AM (20 दिन पहले) |
|---|
| संयम | 03/06/2026 05:54 PM (18 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 368139 [ealpha072 Student-Management-System तक 01451bd7a2f58cdda07bd0b86e3967582e3ecd08 Administrative Backend admin/config.php कमजोर प्रमाणीकरण] |
|---|
| अंक | 20 |
|---|