openSIS Incorrect Access Control Vulnerability in Student Module Allowing Unauthorized Database Writes

A vulnerability exists in openSIS versions through 9.2, specifically within the Student.php module, where incorrect access control allows authenticated low-privilege users to perform unauthorized write operations on the database related to other users' data. This issue arises because the application fails to properly authorize user-supplied identifiers before executing sensitive database queries, enabling low-privilege users to manipulate records of others.

Impact

Exploitation of this vulnerability allows for unauthorized modification of student records in the database, potentially leading to incorrect information being displayed or used within the application.

Reproduction

To reproduce this vulnerability, an authenticated low-privilege user must send a request to the Student.php module with the 'student_id' parameter set to the ID of another user. The request must also include the 'student_enable' parameter set to 'N'. The vulnerable code will execute a database query that updates the specified student's record, removing any disable status, without performing proper authorization checks to ensure the user has permission to make such changes.