Open eClass Broken Access Control Vulnerability Allows Unauthorized Course Unit Creation

A broken access control vulnerability has been identified in the Open eClass platform, prior to version 4.2. This vulnerability allows authenticated students to create new course units, a privilege typically reserved for instructors or administrators. The issue arises from the application's failure to enforce proper access controls at the '/modules/units/index.php' endpoint, enabling students to manipulate course structures inappropriately and potentially disrupt course integrity.

Impact

Exploitation of this vulnerability could lead to unauthorized creation of course units by students, bypassing the intended role-based access controls and potentially disrupting the management and integrity of course content.

Reproduction

To reproduce this vulnerability, authenticate as a user with student privileges. Then, send a request to the '/modules/units/index.php' endpoint with the required parameters, such as unit title and description. The request will be processed successfully, and the new unit will be created, demonstrating the access control flaw.

Remediation

Users are advised to update to Open eClass version 4.2 or later, where this vulnerability has been patched.