Header Ads Widget

CVE-2025-0843 | Library-Card-System | Broken Access Control In Admindashboard.php | Found By Maloy Roy Orko

January 19, 2025

Hi All, 

I am Maloy Roy Orko.

Recently in one of my pentest research, I found a Library-Card-System application By Needyamin which is an open source Library-Card-System to print a library card with student information using PHP, MYSQL, JAVASCRIPT.

It is based on the scripting languages of PHP. Library-Card-System is a Library-Card-System using PHP, MYSQL, JAVASCRIPT

Curious to explore its functionalities, I downloaded and set it up in my local system. 

After fiddling with the source code, I found that it did not have any kind of Proper Access Management in admindashboard.php file.

It can lead into:

  1. Malware Distribution
  2. Unauthorized Access 
  3. Data Breach
  4. Web Shell Installation
  5. Reputation Damage

The Main Thing Is,If any NON-IT personal uses this template,he will fall into this vulnerability and his companies reputation can be lost too.Thats why I am trying to inform everyone about this.

  • Title of the Vulnerability: 
  • Library-Card-System | Broken Access Control In admindashboard.php | Found By Maloy Roy Orko
  • Vulnerability Class: SQL Injection
  • Product Name: Library-Card-System
  • Vendor: https://github.com/needyamin/
  • Vulnerable Product Link: https://github.com/needyamin/Library-Card-System/
  • Technical Details & Description: The application source code is coded in a way which allows To Login Dashboard Without Any Verification.It can lead into:
  1. Malware Distribution
  2. Data Breach
  3. Unauthorized Access 
  4. Denial of Service (DoS)
  5. Web Shell Installation
  6. Reputation Damage
  • Product & Service Introduction: Library-Card-System
  • Observation & Exploitation: 
Here,The Admin Panel Location Is: 

/admin.php/

Lets Exploit 🌠🗝️🔐:

  1. First,Go To The Dashboard
  2. Example: 192.168.0.100:8080/libb/admindashboard.php
  3. See,You Can Enter The Dashboard Without Any Login.
  4. Here Dashboard Is: /admindashboard php/ 


Conclusion :- 

The main aim of this article is to show that if any NON-IT personal uses this template,he will fall into this vulnerability and his companies reputation can be lost too. But I also hope that it helps to give you ideas of how combi

ning attacks can make them much more potent. 

Tags: