EduplusCampus Student Payment API Insecure Direct Object Reference Vulnerability

A critical Insecure Direct Object Reference (IDOR) vulnerability exists in the EduplusCampus Student Payment API version 3.0.1. This vulnerability allows authenticated users to access the personal and financial records of other students by altering the 'rec_no' parameter in the '/student/get-receipt' endpoint. The API fails to properly validate whether the user is authorized to view the requested receipt, enabling unauthorized access to sensitive information.

Impact

Exploitation of this vulnerability leads to unauthorized access to other students' personal and financial information, including full names, roll numbers, payment details, bank information, and transaction IDs. This breach of confidentiality violates privacy rights under the Indian IT Act, 2000.

Reproduction

To reproduce this vulnerability, log into the student portal and intercept the POST request to the '/student/get-receipt' endpoint using a tool like Burp Suite. Modify the 'rec_no' parameter to a different receipt number and send the request. The server will respond with the details of the student associated with the modified receipt number, bypassing authorization checks.