SourceCodester Student Result Management System Access Control Vulnerability Allowing Unauthenticated Admin User Creation

A critical vulnerability exists in SourceCodester Student Result Management System version 1.0, specifically within the register interface. The issue arises from improper access controls in the admin core new user file, allowing remote, unauthenticated users to create admin accounts. This vulnerability has been publicly disclosed and exploited.

Impact

Exploitation of this vulnerability allows for the unauthorized creation of admin users, granting attackers administrative access to the application.

Reproduction

To reproduce this vulnerability, send a POST request to the '/srms/admin/core/new_user' endpoint. Include the 'fname', 'lname', 'gender', 'email', and 'password' fields in the request. The application will create a new admin user with the provided details.

Remediation

Implement proper authentication checks to ensure that only logged-in users with the appropriate privilege level can access the user creation functionality.