Public Disclosure# 🛡️ CVE-2025-26199 — Insecure Password Transmission via Cleartext in CloudClassroom-PHP-Project v1.0
## 📄 Description
CloudClassroom-PHP-Project v1.0 is vulnerable to insecure transmission of user credentials. During the authentication process, passwords are submitted over unencrypted HTTP rather than HTTPS. This exposes sensitive information (i.e., usernames and passwords) to interception by network-based attackers using packet sniffing or Man-in-the-Middle (MitM) attacks.
If an attacker captures valid admin credentials, they may log in and potentially exploit additional application functionality (e.g., file upload or remote shell injection) to achieve remote code execution, depending on the deployment context and system configuration.
## 📦 Affected Product
- **Name**: CloudClassroom-PHP-Project
- **Version**: 1.0
- **Repository**: [https://github.com/mathurvishal/CloudClassroom-PHP-Project](https://github.com/mathurvishal/CloudClassroom-PHP-Project)
## 💥 Impact
- **Credential Interception**: Passwords transmitted in cleartext can be stolen by attackers on the same network.
- **Account Takeover**: Captured credentials can be reused to gain admin access.
- **Remote Code Execution** (in chained scenarios): If the admin panel includes file uploads or other critical operations, attackers can achieve code execution.
## 🌐 Vulnerable Endpoint
```http
POST http://localhost/CloudClassroom-PHP-Project-master/loginlinkadmin.php
```
## 🧪 Steps to Reproduce
1. **Clone the Repository**
```bash
git clone https://github.com/mathurvishal/CloudClassroom-PHP-Project.git
```
2. **Host the Application**
- Use XAMPP, LAMP, or any local server stack.
- Access via: `http://localhost/CloudClassroom-PHP-Project-master/loginlinkadmin.php`
3. **Perform Login over HTTP**
- Intercept the request using a proxy tool (e.g., Burp Suite or Wireshark).
- Observe the password sent in plaintext over an unencrypted channel.
4. **Attack Vector**
- An attacker in a shared network environment captures the HTTP request and retrieves credentials from the payload.
## 🛡️ Recommendations
- Enforce HTTPS for all authentication and sensitive endpoints.
- Configure web server to redirect all HTTP traffic to HTTPS.
- Educate users to never enter credentials on HTTP pages.
- Use HSTS (HTTP Strict Transport Security) to prevent protocol downgrades.
## 🧩 CWE Classification
- **CWE-319**: Cleartext Transmission of Sensitive Information
[https://cwe.mitre.org/data/definitions/319.html](https://cwe.mitre.org/data/definitions/319.html)
- *(Optional if RCE is possible)*
**CWE-306**: Missing Authentication for Critical Function
[https://cwe.mitre.org/data/definitions/306.html](https://cwe.mitre.org/data/definitions/306.html)
## 📊 CVSS v3.1 (Base Score)
- **Score**: 8.1 (High)
- **Vector**: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N`
## 📅 Timeline
| Event | Date |
|-----------------------------|---------------|
| Vulnerability Discovered | 15 April 2025 |
| Public Disclosure | 18 June 2025 |
| Patch Available | No |
## 🧑💻 Credit
This vulnerability was discovered and responsibly disclosed by:
**Tansique Dasari**
📧 tansique.d@gmail.com
🔗 [https://github.com/tansique-17](https://github.com/tansique-17)
## 🔗 References
- [OWASP – Transport Layer Protection Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html)
- [CWE-319](https://cwe.mitre.org/data/definitions/319.html)
- [CloudClassroom GitHub Repository](https://github.com/mathurvishal/CloudClassroom-PHP-Project)
[4.0K] /data/pocs/ed5500aa945054ece28026e94c95a97d74ad0da2
└── [3.6K] README.md
0 directories, 1 file