i-Educar Final Status Import BFLA Vulnerability Analysis

Critical Vulnerability Information Vulnerability Name Broken Function Level Authorization (BFLA) Affected System Final Status Import tool of the i-Educar application Vulnerability Description An authenticated user with "School" level permissions can bypass intended functional restrictions and modify student records belonging to any school unit within the municipal network. By manipulating the bulk import process, an attacker can execute large-scale student data corruption, such as changing registration status to "Deceased" (Falecido), leading to total database integrity compromise and potentially impacting official school census statistics. Vulnerable Component Root Cause The issue lies in the file, which uses global lookup methods (such as Eloquent’s ), retrieving registration records solely based on IDs provided in the CSV, without restricting the query scope to the authenticated user’s . Expected Behavior Any attempt to modify records from other institutions via the import tool should be blocked, resulting in authorization errors or skipping those specific records. Observed Behavior An authenticated user can modify any student record in the municipal database through the import tool, regardless of the school unit, simply by providing the target registration ID in the CSV file. Proof of Concept (PoC) 1. Attacker Context and Permission Setup - Attacker account ( ) is strictly limited to a specific school unit (elementary school) with low-level "School" permissions. All administrative or global editing privileges are disabled. 2. UI-Level Function Restrictions (BFLA Evidence) - Authorized Access: When an administrator with global or appropriate local permissions accesses student records, the "Final Status" dropdown is visible and fully functional, allowing manual status updates. - Unauthorized Access (Attacker View): When the attacker ( ) attempts to edit students from a different school unit via the standard UI, the "Final Status" dropdown is hidden. The system correctly identifies the user’s lack of permission for this specific function at the frontend. 3. Payload Preparation - The attacker identifies student IDs from other institutions (e.g., IDs 212, 199, 200). A CSV payload is prepared to forcibly change their status to "Falecido" (Deceased). 4. Bypass Execution via Import Tool - The attacker navigates to the "Final Status Import" tool. After uploading the CSV, the vulnerable service is triggered. The backend processes IDs without verifying institutional ownership. 5. Confirmation of Global Impact - The tool reports all records as successfully imported. Checking the target students’ profiles from unauthorized units confirms the status change. Multiple students are affected, demonstrating large-scale corruption capability. Impact Critical Data Integrity Failure: The vulnerability allows arbitrary modification of student records to any available system status (Approved, Transferred, Abandoned, Deceased). This represents a massive integrity breach, as an attacker can manipulate the academic or life status history of tens of thousands of students across the entire municipal network in a single operation. Multi-Tenancy Isolation Breach: The vulnerability completely breaks logical isolation between different school units. A low-privileged user from a single school can affect data belonging to any other institution in the system database. Systemic Disruption of Educational Statistics: Since "Final Status" is a primary data point for official government reporting (School Census), this vulnerability directly threatens the accuracy of official government reports, potentially leading to legal complications and loss of public funding. Administrative Disruption: Recovery from a large-scale corruption attack would require extensive database forensics and manual verification of thousands of records, resulting in significant operational downtime.

Goal Reached Thanks to every supporter — we hit 100%!

i-Educar Final Status Import BFLA Vulnerability Analysis

More from this source