SourceCodester Student Result Management System Improper Access Control Vulnerability in Bulk Import Component

A critical vulnerability exists in SourceCodester Student Result Management System version 1.0, specifically within the bulk import feature. The issue arises in the file '/admin/core/import_users.php', where the application fails to implement proper authentication and authorization checks. This flaw allows remote, unauthenticated attackers to upload malicious Excel files that are processed by the server, leading to the creation of unauthorized user accounts with teacher privileges. The vulnerability causes unauthorized access and persistent data corruption in the application's database.

Impact

Exploitation of this vulnerability allows for unauthorized account creation with elevated privileges, leading to unauthorized access and potential misuse of administrative functions.

Reproduction

To reproduce this vulnerability, upload a crafted Excel file containing malicious data through the '/admin/core/import_users.php' endpoint. The absence of authentication checks will allow the file to be processed and the injected data to be inserted into the database, creating unauthorized accounts.

Remediation

The vendor should implement session-based access controls in the affected PHP scripts to ensure that only authenticated users with the appropriate privileges can access these functionalities.