| tiêu đề | https://www.sourcecodester.com/ CET Automated Grading System with AI Predictive Analytics in PHP and MySQL 1.0 Insecure Direct Object Reference (IDOR) |
|---|
| Mô tả | An Insecure Direct Object Reference (IDOR) vulnerability exists in
the CET AI Predictive Grading System. The student role access control
in index.php only validates the student ID at the routing layer and
does not re-validate session ownership at the data-fetching layer.
The application sets $_GET['id'] = $_SESSION['student_id'] only
during redirection, but when the action is already 'view_student'
and $_GET['id'] is present in the URL, it only performs a single
integer comparison at routing time. A logged-in student can directly
manipulate the id parameter in the URL to access another student's
grade records and analytics without authorization.
A logged-in student can access another student's grade data and
analytics by directly manipulating the id parameter in the URL,
bypassing the single routing-level access control check.
Steps to Reproduce:
1. Register and log in as a student account
http://[host]/PersonalAGS/index.php?action=login
2. After login note your assigned student_id (e.g. id=1)
3. Navigate to your own student analytics page:
http://[host]/PersonalAGS/index.php?action=view_student&id=1
4. Modify the id parameter to another student's ID:
http://[host]/PersonalAGS/index.php?action=view_student&id=2
5. Another student's grade records and analytics are accessible
Extended Attack:
- Enumerate all student IDs by incrementing the id parameter:
?action=view_student&id=1
?action=view_student&id=2
?action=view_student&id=3
- Harvest grade data for all students in the system
Impact:
- Unauthorized access to other students grade records
- Full exposure of student academic performance data
- Privacy violation of all enrolled students
- Complete bypass of student data isolation
Affected File: index.php
Affected Lines: 139-146
Auth Required: Yes (student account)
User Interaction: None
CWE: CWE-639
CVSS: 6.5 (Medium)
Reference URL: https://cwe.mitre.org/data/definitions/639.html
1. Re-validate session ownership at every data-fetching layer:
if((int)$_GET['id'] !== (int)$_SESSION['student_id']) {
$action = 'unauthorized';
exit;
}
2. Never trust client-supplied IDs for authorization — always
derive the student scope directly from the session:
$student_id = $_SESSION['student_id'];
3. Remove the id parameter from the URL entirely for student
role — always use $_SESSION['student_id'] to fetch data:
$stmt = $pdo->prepare("SELECT * FROM students
WHERE id = ?");
$stmt->execute([$_SESSION['student_id']]);
4. Apply the same ownership check to every POST handler,
AJAX endpoint, and data-fetching function that accepts
a student ID as input |
|---|
| Nguồn | ⚠️ https://cwe.mitre.org/data/definitions/639.html |
|---|
| Người dùng | Abhay mp (UID 98542) |
|---|
| Đệ trình | 01/06/2026 09:14 (cách đây 1 tháng) |
|---|
| Kiểm duyệt | 03/07/2026 15:56 (1 month later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 376116 [SourceCodester CET Automated Grading System with AI Predictive Analytics POST index.php?action=view_student nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|