SRMS Unauthenticated Vulns: SMTP Hijacking, Bulk Account Injection, Account Deletion

Vulnerability Key Information Vulnerability 1: Unauthenticated SMTP Configuration Hijacking Type: Broken Access Control / Improper Authorization CWE ID: CWE-284, CWE-862 Severity: Critical CVSS v3.1 Score: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Affected Component: /srms/script/admin/core/update_smtp.php Technical Description: A critical endpoint in the application is responsible for updating global SMTP configuration. Due to the absence of session validation mechanisms, any unauthenticated user can directly send a POST request to this endpoint, overwriting the system's email server settings. Proof of Concept (Exploit): Attack Scenario: The attacker modifies SMTP settings to point to a malicious mail server. Malicious payload (HTML) enables credentials to be sent to a server controlled by the attacker. --- Vulnerability 2: Unauthenticated Bulk Account Injection (Arbitrary File Upload) Type: Authentication Bypass / Unrestricted Upload CWE ID: CWE-434, CWE-306 Severity: Critical CVSS v3.1 Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Affected Component: /srms/script/admin/core/import_users.php Technical Description: The script parses uploaded Excel files and creates user accounts in bulk. This endpoint lacks Access Control Lists (ACLs), allowing any user to upload files containing malicious data. Proof of Concept (Exploit): The attacker crafts a malicious Excel file that matches the parser’s logic, specifying Teacher (Level 2) privileges and activating the account. --- Vulnerability 3: Unauthenticated Arbitrary Account Deletion (DoS) Severity: Critical CVSS Reference: ~8.2 Component: /admin/core/drop_user.php CWE ID: CWE-284 Technical Analysis: completely lacks session validation or access control mechanisms. It is trivial to delete any account via an HTTP GET request, including administrator accounts. The attacker can directly set the parameter to an administrator’s ID, causing permanent Denial of Service (DoS). Mitigation Strategy Enforce session-based access control for all administrative scripts before execution. Recommended: Add code blocks at the top of and scripts to validate the session. Disclaimer This report is intended solely for educational and security research purposes. Unauthorized use for illegal activities is strictly prohibited.

Goal Reached Thanks to every supporter — we hit 100%!

SRMS Unauthenticated Vulns: SMTP Hijacking, Bulk Account Injection, Account Deletion

More from this source