i-Educar BFLA Vulnerability: Cross-School Student Record Modification via Import Tool

Key Information Vulnerability Name: Broken Function Level Authorization (BFLA) allowing arbitrary modification of student records via the Final Status Import Tool Summary: - A BFLA vulnerability was discovered in the Final Status Import Tool of the i-Educar application. This vulnerability allows authenticated users with "School" permissions to bypass intended functional restrictions and modify academic records for any school within their school network. - By manipulating the batch import process, attackers can target thousands of student records, such as altering their enrollment status, severely compromising the integrity of public statistical data. Affected Component: Configuration > Tools > Final Status Import Root Cause: - The application does not enforce Function Level Authorization (BFLA) when processing batch updates via the Final Status Import Tool. While the system visually and functionally restricts "School" level users from modifying student data outside their own school in the standard user interface (UI), these restrictions are not enforced in the backend service responsible for processing CSV files. Expected Behavior: - Users with "School" permissions should only be able to modify student records belonging to their own school. - Any attempt to modify data from other institutions via the import tool should be detected and result in an authorization error or skip the specific record. Observed Behavior: - Authenticated users can bypass UI-level permission controls via the import tool and modify student enrollment data in the city-wide database for any school. Proof of Concept (PoC): - Includes screenshots demonstrating the attacker’s context, permission settings, functional restrictions, and specific UI violations. - Provides an example CSV file used to exploit the BFLA vulnerability for changing student record statuses. - Details the step-by-step process of bypassing restrictions using the import tool. - Confirms successful exploitation and the ability to perform large-scale tampering of student record statuses. Impact: - Data Integrity Compromise: The vulnerability enables arbitrary modification of student records to any system-defined status, leading to severe data inconsistency issues. - Multi-tenancy Isolation Failure: Logical isolation is broken, allowing ordinary users from one school to modify student data from other schools. - Systematic Corruption of Educational Statistics: Since "Final Status" is a key basis for official large-scale data reporting, this vulnerability directly leads to inaccurate data, resulting in legal complications and financial waste. - Administrative Chaos: A large-scale tampering attack would require complex database forensics and extensive manual record reviews, causing significant administrative disruption. Reference Documentation: Provides a link to the i-Educar GitHub repository. Researcher: ViniCastro2001

Goal Reached Thanks to every supporter — we hit 100%!

i-Educar BFLA Vulnerability: Cross-School Student Record Modification via Import Tool

More from this source