| 标题 | mjperpinosa stumasy 327d1b0f2915ba79d7ef8ebb74553e987609d9be Authorization Bypass Through User-Controlled SQL Primary Key |
|---|
| 描述 | The affected components are note and assignment object endpoints under `application/PHP/objects/notes/`, including `update_assignment_answer.php`, `retrieve_assignment_answer_to_update.php`, `update_scratch_data.php`, `retrieve_scratch_data_to_update.php`, and `delete_scratch_data.php`. These endpoints accept object identifiers from POST data and call controller methods that read, update, or delete records by primary key without checking authentication or ownership:
```php
$assignment_item_id = $_POST["assignment_item_id"];
$answer = $_POST["answer"];
$execute_function->update_assignment_answer($answer, $assignment_item_id);
```
```php
$insert_answer_statement = $this->db_holder->prepare("UPDATE assignment_items SET answer = ? WHERE item_id = ?");
$insert_answer_statement->execute(array($answer, $assignment_item_id));
```
```php
$new_scratch_data = $_POST["new_scratch_data"];
$scratch_data_id = $_POST["scratch_data_id"];
$execute_function->update_scratch_data($new_scratch_data, $scratch_data_id);
```
```php
$update_statement = $this->db_holder->prepare("UPDATE scratch_data SET scratch_data = ? WHERE scratch_data_id = ?;");
$update_statement->execute(array($new_scratch_data, $scratch_data_id));
```
An unauthenticated attacker can modify or read other users' assignment answers and scratch notes by guessing numeric IDs. This causes unauthorized data disclosure and tampering. |
|---|
| 来源 | ⚠️ https://github.com/mjperpinosa/stumasy/issues/9 |
|---|
| 用户 | gscsd (UID 97914) |
|---|
| 提交 | 2026-06-05 16時53分 (29 日前) |
|---|
| 管理 | 2026-07-04 17時50分 (29 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 376342 [mjperpinosa stumasy 直到 327d1b0f2915ba79d7ef8ebb74553e987609d9be Note Handler/Assignment /PHP/objects/notes assignment_item_id 权限提升] |
|---|
| 积分 | 20 |
|---|