| शीर्षक | imvks786 student_management_system 1.0 Insufficient Authorization |
|---|
| विवरण | The application attempts to restrict certain actions (like adding and deleting students) by hiding UI buttons based on the user’s `Permission` level. However, the server‑side endpoints that perform these actions **do not enforce role‑based access control**. The `add.php` script only verifies that a user is logged in, without checking whether the user’s permission is `ADMIN`, `EDIT`, or `VIEW`. The `see.php` script executes the deletion **before** loading the user’s permission level, meaning any logged‑in user – including one with `VIEW` rights – can delete records.
The default database setup includes a user with limited privileges:
```sql
(2, 'admin1', 'admin', 'admin', 'VIEW', 'nick name', 'admin');
```
Because the UI merely hides buttons, an attacker with VIEW access can directly craft POST requests to add.php or GET requests to see.php?del=... and perform privileged operations. |
|---|
| स्रोत | ⚠️ https://github.com/imvks786/student_management_system/issues/3 |
|---|
| उपयोगकर्ता | Estelle666 (UID 98399) |
|---|
| सबमिशन | 25/05/2026 06:17 AM (15 दिन पहले) |
|---|
| संयम | 07/06/2026 09:53 PM (14 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 369149 [imvks786 student_management_system तक 9599b560ad3c3b83e75d328b76bedcd489ef1f46 Student Record /add.php अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|