HaPe PKH Missing Authorization Vulnerability Allows Unauthenticated Record Deletion

A vulnerability in HaPe PKH version 1.1 allows unauthenticated users to delete arbitrary records due to missing authorization checks on deletion endpoints. The issue arises in the 'admin/modul/mod_pengurus/aksi_pengurus.php' and 'admin/modul/mod_update/aksi_update.php' files, where deletions are processed without verifying the requester's privileges. This flaw enables the removal of both administrator and update records.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of records, including administrative data, which could disrupt application functionality and data integrity.

Reproduction

To reproduce this vulnerability, send a POST request to 'admin/media.php' with the 'module' and 'act' parameters set to 'desa' and 'hapus', respectively, along with a crafted 'id' parameter that exploits the SQL injection vulnerability. Alternatively, use the 'admin/modul/mod_pengurus/aksi_pengurus.php' endpoint with similar parameters to delete administrator records.