提出 #700465: Sourcecodester Online Student Clearance System Project 1.0 /Admin/delete-fee.php Broken Access Control情報

タイトルSourcecodester Online Student Clearance System Project 1.0 /Admin/delete-fee.php Broken Access Control
説明# Sourcecodester Online Student Clearance System Project V1.0 /Admin/delete-fee.php Broken Access Control #### NAME OF AFFECTED PRODUCT(S) - Online Student Clearance System #### Vendor Homepage - https://www.sourcecodester.com/php/17892/online-clearance-system.html #### submitter - yudeshui #### Vulnerable File - /Admin/delete-fee.php #### VERSION(S) - V1.0 #### Software Link - https://www.sourcecodester.com/sites/default/files/download/Senior%20Walter/student_clearance_system_aurthur_javis.zip PROBLEM TYPE ### 1\. Unauthorized Data Deletion This vulnerability is found in the **Online Student Clearance System** project. #### ???? Vulnerable File Location `Admin/delete-fee.php` (Lines 6-10) #### ???? Vulnerable Code ```php error_reporting(0); include('../connect.php'); include('../connect2.php'); $id= $_GET['id']; $sql = "DELETE FROM fee WHERE ID=?"; $stmt= $dbh->prepare($sql); $stmt->execute([$id]); header("Location: add-fee.php"); ``` #### ???? Description The script `Admin/delete-fee.php` executes a `DELETE` query on the `fee` table based on the ID provided via the **`GET`** parameter `id`. This is a **Broken Access Control** vulnerability, as the script **lacks any authorization checks** (e.g., verifying if the user is logged in or has administrator privileges). Any user, including unauthenticated users, can execute this script by directly accessing the URL (e.g., `/Admin/delete-fee.php?id=123`), leading to unauthorized data deletion. #### ????️ Suggested Mitigation Implement a strict **authorization and authentication check** at the beginning of the script. Ensure that only users with the appropriate administrative role are permitted to execute the deletion operation. ----- Is there anything else I can help you translate or format?
ソース⚠️ https://github.com/rassec2/dbcve/issues/8
ユーザー
 yudeshui (UID 91129)
送信2025年11月24日 07:34 (7 月 ago)
モデレーション2025年12月07日 09:02 (13 days later)
ステータス承諾済み
VulDBエントリ334649 [SourceCodester Online Student Clearance System 1.0 Fee Table /Admin/delete-fee.php 識別子 特権昇格]
ポイント20

概要

Do you need the next level of professionalism?

Upgrade your account now!