CloudClassroom PHP Project Cleartext Password Transmission Vulnerability

A vulnerability in CloudClassroom PHP Project version 1.0 allows remote attackers to execute arbitrary code by intercepting passwords transmitted in cleartext over HTTP. This exposure of admin credentials could lead to unauthorized access and potential system compromise.

Impact

The vulnerability allows for interception of admin passwords in cleartext, creating a high risk of credential theft. If these credentials are reused elsewhere, it could lead to a full system compromise.

Reproduction

To reproduce this vulnerability, host the application on a local server such as XAMPP or LAMP. After uploading the project, access the admin login endpoint. Use a packet sniffing tool like Wireshark to capture network traffic. When the login form is submitted, the cleartext transmission of the username and password can be observed in the intercepted data.

Remediation

To address this vulnerability, enforce HTTPS for all authentication routes and use secure password hashing algorithms like bcrypt. Additionally, avoid logging or echoing credentials in the code.