Submeter #700465: Sourcecodester Online Student Clearance System Project 1.0 /Admin/delete-fee.php Broken Access Controlinformação

TítuloSourcecodester Online Student Clearance System Project 1.0 /Admin/delete-fee.php Broken Access Control
Descrição# Sourcecodester Online Student Clearance System Project V1.0 /Admin/delete-fee.php Broken Access Control #### NAME OF AFFECTED PRODUCT(S) - Online Student Clearance System #### Vendor Homepage - https://www.sourcecodester.com/php/17892/online-clearance-system.html #### submitter - yudeshui #### Vulnerable File - /Admin/delete-fee.php #### VERSION(S) - V1.0 #### Software Link - https://www.sourcecodester.com/sites/default/files/download/Senior%20Walter/student_clearance_system_aurthur_javis.zip PROBLEM TYPE ### 1\. Unauthorized Data Deletion This vulnerability is found in the **Online Student Clearance System** project. #### ???? Vulnerable File Location `Admin/delete-fee.php` (Lines 6-10) #### ???? Vulnerable Code ```php error_reporting(0); include('../connect.php'); include('../connect2.php'); $id= $_GET['id']; $sql = "DELETE FROM fee WHERE ID=?"; $stmt= $dbh->prepare($sql); $stmt->execute([$id]); header("Location: add-fee.php"); ``` #### ???? Description The script `Admin/delete-fee.php` executes a `DELETE` query on the `fee` table based on the ID provided via the **`GET`** parameter `id`. This is a **Broken Access Control** vulnerability, as the script **lacks any authorization checks** (e.g., verifying if the user is logged in or has administrator privileges). Any user, including unauthenticated users, can execute this script by directly accessing the URL (e.g., `/Admin/delete-fee.php?id=123`), leading to unauthorized data deletion. #### ????️ Suggested Mitigation Implement a strict **authorization and authentication check** at the beginning of the script. Ensure that only users with the appropriate administrative role are permitted to execute the deletion operation. ----- Is there anything else I can help you translate or format?
Fonte⚠️ https://github.com/rassec2/dbcve/issues/8
Utilizador
 yudeshui (UID 91129)
Submissão24/11/2025 07h34 (há 7 meses)
Moderação07/12/2025 09h02 (13 days later)
EstadoAceite
Entrada VulDB334649 [SourceCodester Online Student Clearance System 1.0 Fee Table /Admin/delete-fee.php ID Elevação de Privilégios]
Pontos20

VoltarVisão GeralPróximo

Interested in the pricing of exploits?

See the underground prices here!