PHPGurukul Pre-School Enrollment System Access Control Vulnerability in Sub Admin Handler

A critical access control vulnerability has been identified in PHPGurukul Pre-School Enrollment System version 1.0. The issue resides in the Sub Admin Handler component, specifically within the file '/admin/add-subadmin.php'. This vulnerability allows low-privileged users to bypass authorization and add sub administrators, thereby creating unauthorized user accounts. The flaw arises from inadequate session identity verification, enabling exploitation through direct requests to the vulnerable file.

Impact

Exploitation of this vulnerability allows for the unauthorized creation of sub administrator accounts, leading to potential information leakage and management risks.

Reproduction

To reproduce this vulnerability, log in as a sub administrator. Once logged in, send a request to '/admin/add-subadmin.php' without the necessary privileges. The absence of proper session verification will allow the request to be processed, successfully adding a new sub administrator account.

Remediation

It is recommended to implement proper session verification and access controls to ensure that only users with the appropriate privileges can add sub administrators.