SourceCodester Student Result Management System Improper Access Control Vulnerability in SMTP Update Endpoint

A critical vulnerability exists in SourceCodester Student Result Management System version 1.0, specifically within the file '/srms/script/admin/core/update_smtp.php'. This vulnerability arises from a lack of authentication and authorization checks, allowing remote, unauthenticated attackers to manipulate the application's SMTP configuration. Exploiting this flaw could lead to unauthorized interception of password reset tokens, facilitating a complete account takeover of the administrator.

Impact

Exploitation of this vulnerability allows for unauthorized modification of SMTP settings, which can be abused to intercept password reset tokens sent to the administrator, resulting in a full account takeover.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'update_smtp.php' endpoint without authentication. The request must include the 'mail_server', 'mail_username', 'mail_password', 'mail_port', and 'mail_security' parameters. Once the SMTP settings are updated to point to a malicious server, the attacker can intercept password reset tokens intended for the administrator.

Remediation

To address this vulnerability, it is recommended to implement session-based access controls in the 'update_smtp.php' file. This can be done by adding a session validation check to ensure that the user is logged in and has the appropriate administrative privileges before allowing any modifications to the SMTP settings.