CodeAstro Online Job Portal Improper Access Control Vulnerability in Job Deletion Handler

A vulnerability exists in CodeAstro Online Job Portal version 1.0, specifically within the job deletion handler component. The issue arises in the file '/jobs/job-delete.php', where the application fails to properly verify ownership of job postings before allowing their deletion. This lack of access control enables authenticated employers to delete job postings belonging to other employers by manipulating the 'id' parameter in a GET request. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows authenticated employers to delete job postings from other employers, leading to unauthorized data removal and potential disruption of service on the platform.

Reproduction

To reproduce this vulnerability, register two employer accounts. Log in as the first employer (Employer A) and create a job posting, noting the job ID. Then, log in as the second employer (Employer B) in a different browser. Intercept the delete request for Employer B's job using a tool like Burp Suite. Change the 'id' parameter to match the job ID of Employer A's posting and forward the request. This will result in the deletion of Employer A's job posting.