제출 #844625: https://www.sourcecodester.com/ CET Automated Grading System with AI Predictive Analytics in PHP and MySQL 1.0 Insecure Direct Object Reference (IDOR)정보

제목https://www.sourcecodester.com/ CET Automated Grading System with AI Predictive Analytics in PHP and MySQL 1.0 Insecure Direct Object Reference (IDOR)
설명An Insecure Direct Object Reference (IDOR) vulnerability exists in the CET AI Predictive Grading System. The student role access control in index.php only validates the student ID at the routing layer and does not re-validate session ownership at the data-fetching layer. The application sets $_GET['id'] = $_SESSION['student_id'] only during redirection, but when the action is already 'view_student' and $_GET['id'] is present in the URL, it only performs a single integer comparison at routing time. A logged-in student can directly manipulate the id parameter in the URL to access another student's grade records and analytics without authorization. A logged-in student can access another student's grade data and analytics by directly manipulating the id parameter in the URL, bypassing the single routing-level access control check. Steps to Reproduce: 1. Register and log in as a student account http://[host]/PersonalAGS/index.php?action=login 2. After login note your assigned student_id (e.g. id=1) 3. Navigate to your own student analytics page: http://[host]/PersonalAGS/index.php?action=view_student&id=1 4. Modify the id parameter to another student's ID: http://[host]/PersonalAGS/index.php?action=view_student&id=2 5. Another student's grade records and analytics are accessible Extended Attack: - Enumerate all student IDs by incrementing the id parameter: ?action=view_student&id=1 ?action=view_student&id=2 ?action=view_student&id=3 - Harvest grade data for all students in the system Impact: - Unauthorized access to other students grade records - Full exposure of student academic performance data - Privacy violation of all enrolled students - Complete bypass of student data isolation Affected File: index.php Affected Lines: 139-146 Auth Required: Yes (student account) User Interaction: None CWE: CWE-639 CVSS: 6.5 (Medium) Reference URL: https://cwe.mitre.org/data/definitions/639.html 1. Re-validate session ownership at every data-fetching layer: if((int)$_GET['id'] !== (int)$_SESSION['student_id']) { $action = 'unauthorized'; exit; } 2. Never trust client-supplied IDs for authorization — always derive the student scope directly from the session: $student_id = $_SESSION['student_id']; 3. Remove the id parameter from the URL entirely for student role — always use $_SESSION['student_id'] to fetch data: $stmt = $pdo->prepare("SELECT * FROM students WHERE id = ?"); $stmt->execute([$_SESSION['student_id']]); 4. Apply the same ownership check to every POST handler, AJAX endpoint, and data-fetching function that accepts a student ID as input
원천⚠️ https://cwe.mitre.org/data/definitions/639.html
사용자
 Abhay mp (UID 98542)
제출2026. 06. 01. AM 09:14 (1 월 ago)
모더레이션2026. 07. 03. PM 03:56 (1 month later)
상태수락
VulDB 항목376116 [SourceCodester CET Automated Grading System with AI Predictive Analytics POST index.php?action=view_student 권한 상승]
포인트들20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!