PHPGurukul Online Course Registration Authorization Vulnerability

A critical vulnerability exists in PHPGurukul Online Course Registration versions through 3.1, where the application fails to properly verify user roles before granting access to administrative functions. This flaw allows any authenticated user to access admin content by simply navigating to relevant URLs, bypassing authorization checks entirely. The vulnerability arises because the application only confirms if a user is logged in, without validating their permissions or role. As a result, an authenticated user with student privileges can escalate their access to administrative rights, enabling them to manage user data, courses, and other sensitive functions within the system.

Impact

Exploitation of this vulnerability allows authenticated users with student privileges to gain full administrative access, including the ability to view and modify all user data, manage courses, and escalate privileges, thereby compromising the entire system.

Reproduction

To reproduce this vulnerability, log in as a user with student privileges. Once logged in, manually navigate to admin URLs such as '/onlinecourse/admin/user-log.php' or '/onlinecourse/admin/manage-students.php'. The application will respond by providing access to the admin content without any role verification. Alternatively, this can be done by intercepting the request with a tool like Burp Suite and modifying the URL to include the admin pages, which will also bypass the authorization checks.

Remediation

It is recommended to implement role-based access control by assigning user roles during the authentication process and verifying these roles before granting access to any administrative content. Additionally, a centralized authorization function should be used to ensure that the principle of least privilege is applied, allowing users to access only the resources and functions necessary for their role.