Cyber-III Student-Management-System Insecure Direct Object Reference Vulnerability in HTTP POST Request Handler

An Insecure Direct Object Reference (IDOR) vulnerability has been identified in Cyber-III Student-Management-System versions prior to 1a938fa61e9f735078e9b291d2e6215b4942af3f. The vulnerability resides in the file '/viva/update.php', within the HTTP POST Request Handler component. This issue allows unauthorized users to modify the 'name' field of users in the 'team_members' table without authentication. The vulnerability can be exploited remotely by sending a POST request with the target username and the new name value.

Impact

Exploitation of this vulnerability allows for unauthorized modification of user names in the 'team_members' table, potentially leading to data inconsistency or enabling further attacks by impersonating other users.

Reproduction

To reproduce this vulnerability, first ensure that the 'team_members' table exists and contains a record for a user, such as 'student01', with a name like 'Alice'. Then, send a POST request to '/viva/update.php' with the 'username' parameter set to 'student01' and the 'name' parameter set to a new value, such as 'HACKED'. After the request is processed, the name for 'student01' will be changed to 'HACKED'. This modification can be verified by querying the database. The same process can be repeated for other usernames, including 'admin' or 'lec01'.

Remediation

To address this vulnerability, implement proper authorization checks in the '/viva/update.php' file. Ensure that users can only modify their own records, and if cross-user modifications are necessary, restrict such actions to administrators.