ealpha072 Student Management System Authentication Bypass Vulnerability in Administrative Backend

An authentication vulnerability has been identified in the ealpha072 Student Management System, specifically in the administrative backend component. The issue arises from the 'admin/config.php' file, which disables session management by commenting out the 'session_start()' function. This oversight prevents the application from properly verifying user authentication, allowing unauthenticated users to access the admin dashboard and other administrative pages. The vulnerability affects all versions of the application prior to the latest commit on October 7, 2021.

Impact

Exploitation of this vulnerability allows for unauthorized access to the administrative dashboard, bypassing authentication checks and exposing administrative functionalities and data.

Reproduction

To reproduce this vulnerability, send a GET request to 'admin/dashboard.php' without a valid session cookie or with an empty or invalid session. The server will respond with HTTP 200 OK, granting access to the admin dashboard.