| Title | imvks786 student_management_system 1.0 Broken Access Control |
|---|
| Description | The student deletion endpoint (`see.php`) processes the `del` parameter and immediately executes a `DELETE` query **before** checking the logged‑in user’s permission level. The relevant code flow:
```php
// see.php:7-8
if (isset($_GET['submit'])){
if(mysqli_query($con,"DELETE FROM student WHERE ID =".$_GET['del']."")){
// ... later, after deletion ...
// see.php:17-20
$usr=$_SESSION['username'];
$r=mysqli_query($con,"SELECT Permission from login WHERE username='$usr'");
$ro=mysqli_fetch_assoc($r);
$uper=$ro['Permission'];
```
Because the deletion query runs first, a user with only VIEW permission (e.g., the default admin1/admin account) can delete any student record simply by crafting a GET request with ?submit=submit&del=<id>. The subsequent permission check is only used for displaying a warning message; it does not prevent the destructive action. |
|---|
| Source | ⚠️ https://github.com/imvks786/student_management_system/issues/4 |
|---|
| User | kimoji (UID 98406) |
|---|
| Submission | 05/25/2026 06:22 (17 days ago) |
|---|
| Moderation | 06/07/2026 21:53 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 369150 [imvks786 student_management_system up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46 Student Deletion Endpoint /see.php del improper authorization] |
|---|
| Points | 20 |
|---|