yungifez Skuul School Management System Insecure Direct Object Reference Vulnerability in View Fee Invoice Component

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the yungifez Skuul School Management System, affecting versions through 2.6.5. The issue arises in the View Fee Invoice component, specifically within the dashboard fees fee-invoices directory. Authenticated student users can manipulate the invoice_id parameter in the URL to access invoices belonging to other students, leading to unauthorized disclosure of personal and financial information. This vulnerability exists due to a lack of proper authorization checks to verify ownership of the requested invoices.

Impact

Exploitation of this vulnerability allows for unauthorized access to other students' invoices, exposing sensitive personal and financial data, and violating privacy and data protection regulations.

Reproduction

To reproduce this vulnerability, log into the application as a student. Navigate to the 'View Fee Invoice' section and select an invoice. Note the invoice ID in the URL, then modify the ID to access invoices of other students. The application will display the unauthorized invoice, confirming the breach.

Remediation

It is recommended to implement ownership checks on the server side to ensure that only the rightful owner can access specific invoices. Additionally, using role-based access control (RBAC) to manage user privileges, replacing sequential IDs with non-predictable identifiers like UUIDs, and validating authorization for every request to sensitive resources can help mitigate this vulnerability.