Broken Access Control in Committee Management System

Author
Updated: November 8th, 2024
2 mins read
Broken access control in committee management system.

Product Name: Class Committee Management System
Vulnerability: Broken Access Control
Vulnerable Version: Will be disclosed soon
CVE: Will be disclosed soon

On 24 September 2024, the security researchers at Astra discovered a critical broken access control vulnerability in the Class Committee Management System, an open-source project. The web-based system allows users to manage files, schedule meetings, generate reports, and access other management features.

A broken access control vulnerability occurs when the application does not enforce proper permissions and restrictions. In this instance, a lower-privileged user could bypass the permissions and escalate themselves to get unauthorized access to restricted functionalities or data.

How Does A Broken Access Control Vulnerability Occur?

Step -1: Insufficient Permission

The application does not enforce proper permission restrictions for lower-privilege users, allowing attackers to leverage the Broken Access Control and exploit the system’s lack of protection.

Step -2: Privilege Escalation via URL Manipulation

Attackers can modify the URLs or other request parameters, leading to unauthorized access. For example:

  • URL Manipulation: accessing the admin/restricted URLs directly without authorization
  • Parameter Tampering: altering the URL parameters like session IDs or user IDs

Step -3: Unauthorized User

Once the attackers gain access, they can view sensitive data or perform unauthorized high-privilege actions like:

  • altering user roles or permissions
  • access confidential data
  • alter system settings or flow

Impact of Broken Access Control

1. Data Breach or Unauthorized Access

  • Unauthorized actions: Low-privileged users perform unauthorized access like modifying records or altering critical data.
  • Data Exposure: Attackers can access sensitive information like personal information or financial records, leading to privacy violations.

2. Loss of Data Integrity

  • Data Tampering: Attackers can manipulate, modify, or delete sensitive data, affecting the integrity and overall functionality of the application.
  • Malicious Actions: Attackers can alter system functions to cause unintended behavior, alter privileges, and compromise the application’s overall integrity and security.

Current Status

Upon discovering the vulnerability in the Personal Management System, we promptly notified the platform’s developers. We provided possible solutions, such as enforcing strict access control policies, implementing vigorous server-side checks, and disabling direct URL access to avoid potential exploitation of the application and its data.

What can you do?

Update the affected version to the latest version once released by the Class Committee Management System team.