| tiêu đề | a4m4 Student-Management-System--PHP- 1.0 Unauthenticated Access |
|---|
| Mô tả | The `admin/deleteform.php` and `admin/updatedata.php` scripts handle crucial data manipulation tasks (student deletion and updates), yet they completely lack any form of authentication or authorisation. Neither `session_start()` nor the usual session validation code is present. The scripts immediately process the incoming HTTP request and execute SQL statements.
Example from `admin/deleteform.php` (lines 3–6):
```php
include ('../dbcon.php');
$id = $_REQUEST['sid'];
$qry = "DELETE FROM `student` WHERE `id`= '$id' ";
```
Because these endpoints are accessible to anyone who knows the path, an unauthenticated attacker can arbitrarily delete or modify student records, causing severe data integrity and availability issues. |
|---|
| Nguồn | ⚠️ https://github.com/a4m4/Student-Management-System--PHP-/issues/3 |
|---|
| Người dùng | oxygen (UID 97921) |
|---|
| Đệ trình | 11/05/2026 06:10 (cách đây 26 ngày) |
|---|
| Kiểm duyệt | 31/05/2026 16:16 (20 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 367551 [a4m4 Student-Management-System đến f0c5f6842c5e8c431ff02b5260a565ca844df3a0 admin/deleteform.php sid nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|