제출 #700465: Sourcecodester Online Student Clearance System Project 1.0 /Admin/delete-fee.php Broken Access Control정보

제목Sourcecodester Online Student Clearance System Project 1.0 /Admin/delete-fee.php Broken Access Control
설명# Sourcecodester Online Student Clearance System Project V1.0 /Admin/delete-fee.php Broken Access Control #### NAME OF AFFECTED PRODUCT(S) - Online Student Clearance System #### Vendor Homepage - https://www.sourcecodester.com/php/17892/online-clearance-system.html #### submitter - yudeshui #### Vulnerable File - /Admin/delete-fee.php #### VERSION(S) - V1.0 #### Software Link - https://www.sourcecodester.com/sites/default/files/download/Senior%20Walter/student_clearance_system_aurthur_javis.zip PROBLEM TYPE ### 1\. Unauthorized Data Deletion This vulnerability is found in the **Online Student Clearance System** project. #### ???? Vulnerable File Location `Admin/delete-fee.php` (Lines 6-10) #### ???? Vulnerable Code ```php error_reporting(0); include('../connect.php'); include('../connect2.php'); $id= $_GET['id']; $sql = "DELETE FROM fee WHERE ID=?"; $stmt= $dbh->prepare($sql); $stmt->execute([$id]); header("Location: add-fee.php"); ``` #### ???? Description The script `Admin/delete-fee.php` executes a `DELETE` query on the `fee` table based on the ID provided via the **`GET`** parameter `id`. This is a **Broken Access Control** vulnerability, as the script **lacks any authorization checks** (e.g., verifying if the user is logged in or has administrator privileges). Any user, including unauthenticated users, can execute this script by directly accessing the URL (e.g., `/Admin/delete-fee.php?id=123`), leading to unauthorized data deletion. #### ????️ Suggested Mitigation Implement a strict **authorization and authentication check** at the beginning of the script. Ensure that only users with the appropriate administrative role are permitted to execute the deletion operation. ----- Is there anything else I can help you translate or format?
원천⚠️ https://github.com/rassec2/dbcve/issues/8
사용자
 yudeshui (UID 91129)
제출2025. 11. 24. AM 07:34 (7 개월 ago)
모더레이션2025. 12. 07. AM 09:02 (13 days later)
상태수락
VulDB 항목334649 [SourceCodester Online Student Clearance System 1.0 Fee Table /Admin/delete-fee.php 아이디 권한 상승]
포인트들20

이전개요다음

Do you want to use VulDB in your project?

Use the official API to access entries easily!