Computer Laboratory Management System 1.0 Privilege Escalation

Computer Laboratory Management System 1.0 Privilege Escalation
2024-8-2 22:10:18 Author: packetstormsecurity.com(查看原文) 阅读量:2 收藏

# Exploit Title: Computer Laboratory Management System v1.0 - Incorrect access control
# Date: 08 July 2024
# Exploit Author: Sampath kumar kadajari
# Vendor Homepage: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html
# Software Link: https://www.sourcecodester.com/download-code?nid=17268&title=Computer+Laboratory+Management+System+using+PHP+and+MySQL
# Version: v1.0
# CVE: CVE-2024-41332
# Tested on: Windows, XAMPP, Apache, MySQL-------------------------------------------------------------------------------------------------------------------------------------------
Incorrect access control in the delete_category function of Sourcecodester Computer Laboratory Management System v1.0 allows authenticated attackers with low-level privileges to perform arbitrarily delete actions. 
"Vulnerable Code" – ( classes/master.php)
function delete_category(){
        extract($_POST);
        $del = $this->conn->query("UPDATE `category_list` set `delete_flag` = 1 where id = '{$id}'");
        if($del){
            $resp['status'] = 'success';
            $this->settings->set_flashdata('success'," Category successfully deleted.");
        }else{
            $resp['status'] = 'failed';
            $resp['error'] = $this->conn->error;
        }
        return json_encode($resp);
}
---> Affected Component:  http://localhost/php-lms/classes/Master.php?f=delete_category
"Fix for Vulnerable Code":
function delete_category(){
    // Check if the user is logged in and has an admin role
    if (!isset($_SESSION['userdata']['role']) || $_SESSION['userdata']['role'] != 'admin') {
        $resp['status'] = 'failed';
        $resp['error'] = 'Unauthorized access.';
        return json_encode($resp);
    }
    // Proceed with the delete action if authorized
    extract($_POST);
    $del = $this->conn->query("UPDATE `category_list` set `delete_flag` = 1 where id = '{$id}'");
    if($del){
        $resp['status'] = 'success';
        $this->settings->set_flashdata('success',"Category successfully deleted.");
    }else{
        $resp['status'] = 'failed';
        $resp['error'] = $this->conn->error;
    }
    return json_encode($resp);
}

文章来源: https://packetstormsecurity.com/files/179890/clms10-escalate.txt
如有侵权请联系:admin#unsafe.sh