Skip to content

Security: Multiple critical vulnerabilities - SQLi, unauthenticated endpoints, plaintext passwords #36

New issue
New issue
Open
Open
Security: Multiple critical vulnerabilities - SQLi, unauthenticated endpoints, plaintext passwords#36
@lighthousekeeper1212

Description

@lighthousekeeper1212
lighthousekeeper1212
opened on Mar 4, 2026

Summary

Security audit found 10 vulnerabilities (4 CRITICAL, 5 HIGH, 1 MEDIUM). The application has fundamental security design issues.

CRITICAL Findings

  1. Certificates controller fully unauthenticated (CWE-306)controllers/certificates.php missing auth check in constructor. All certificate endpoints (generate SLC, view dashboard, delete) accessible without login.

  2. Base controller auth check commented out (CWE-306)core/MY_Controller.php lines 13-16 have the auth check commented out. Authentication is opt-in per controller instead of default-enforce.

  3. Plaintext password storage (CWE-256)models/login_model.php compares passwords in plaintext via SQL WHERE clause. SQL dump shows actual passwords: nicola11, 1234, user.

  4. SQL injection via column names (CWE-89)controllers/admissions.php lines 392-438, models/student_model.php lines 14-45. User-controlled search_col_1/sort_col_1 POST params passed as column names to ->where() and ->order_by(). CodeIgniter escapes values but NOT column names.

HIGH Findings

  1. Hardcoded owner credentials (CWE-798)controllers/owner.php lines 28-38: akshat41121995@gmail.com / nicola11
  2. CSRF protection disabled (CWE-352)config/config.php line 452: csrf_protection = FALSE
  3. Weak encryption key (CWE-321)config/config.php line 328: encryption_key = '123456'
  4. Mass assignment (CWE-915)core/MY_Controller.php lines 40-58: raw POST data inserted into DB after only removing 'submit' key
  5. No RBAC (CWE-269) — Single 'admin' role for all users, no separation of duties

MEDIUM

  1. Insecure session config (CWE-384) — NULL save path + no IP matching

Recommended Fixes

  1. Uncomment auth check in MY_Controller (centralized enforcement)
  2. Use password_hash()/password_verify() for password storage
  3. Whitelist allowed column names for search/sort operations
  4. Remove hardcoded credentials
  5. Enable CSRF protection
  6. Generate a proper encryption key
  7. Use explicit field lists instead of raw POST data
  8. Implement role-based access control

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions