提出 #844625: https://www.sourcecodester.com/ CET Automated Grading System with AI Predictive Analytics in PHP and MySQL 1.0 Insecure Direct Object Reference (IDOR)情報

タイトルhttps://www.sourcecodester.com/ CET Automated Grading System with AI Predictive Analytics in PHP and MySQL 1.0 Insecure Direct Object Reference (IDOR)
説明An Insecure Direct Object Reference (IDOR) vulnerability exists in the CET AI Predictive Grading System. The student role access control in index.php only validates the student ID at the routing layer and does not re-validate session ownership at the data-fetching layer. The application sets $_GET['id'] = $_SESSION['student_id'] only during redirection, but when the action is already 'view_student' and $_GET['id'] is present in the URL, it only performs a single integer comparison at routing time. A logged-in student can directly manipulate the id parameter in the URL to access another student's grade records and analytics without authorization. A logged-in student can access another student's grade data and analytics by directly manipulating the id parameter in the URL, bypassing the single routing-level access control check. Steps to Reproduce: 1. Register and log in as a student account http://[host]/PersonalAGS/index.php?action=login 2. After login note your assigned student_id (e.g. id=1) 3. Navigate to your own student analytics page: http://[host]/PersonalAGS/index.php?action=view_student&id=1 4. Modify the id parameter to another student's ID: http://[host]/PersonalAGS/index.php?action=view_student&id=2 5. Another student's grade records and analytics are accessible Extended Attack: - Enumerate all student IDs by incrementing the id parameter: ?action=view_student&id=1 ?action=view_student&id=2 ?action=view_student&id=3 - Harvest grade data for all students in the system Impact: - Unauthorized access to other students grade records - Full exposure of student academic performance data - Privacy violation of all enrolled students - Complete bypass of student data isolation Affected File: index.php Affected Lines: 139-146 Auth Required: Yes (student account) User Interaction: None CWE: CWE-639 CVSS: 6.5 (Medium) Reference URL: https://cwe.mitre.org/data/definitions/639.html 1. Re-validate session ownership at every data-fetching layer: if((int)$_GET['id'] !== (int)$_SESSION['student_id']) { $action = 'unauthorized'; exit; } 2. Never trust client-supplied IDs for authorization — always derive the student scope directly from the session: $student_id = $_SESSION['student_id']; 3. Remove the id parameter from the URL entirely for student role — always use $_SESSION['student_id'] to fetch data: $stmt = $pdo->prepare("SELECT * FROM students WHERE id = ?"); $stmt->execute([$_SESSION['student_id']]); 4. Apply the same ownership check to every POST handler, AJAX endpoint, and data-fetching function that accepts a student ID as input
ソース⚠️ https://cwe.mitre.org/data/definitions/639.html
ユーザー
 Abhay mp (UID 98542)
送信2026年06月01日 09:14 (1 月 ago)
モデレーション2026年07月03日 15:56 (1 month later)
ステータス承諾済み
VulDBエントリ376116 [SourceCodester CET Automated Grading System with AI Predictive Analytics POST index.php?action=view_student 特権昇格]
ポイント20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!