Privilege Escalation — Unauthenticated access to Admin Portal (CVE-2020–35745)

Introduction

This article is a write up on how I found a Privilege Escalation Vulnerability where an attacker can access complete admin portal without authentication which gave me a new CVE-2020–35745.

What is Privilege Escalation?

Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation or changes should have been prevented by the application. This is usually caused by a flaw in the application. The result is that the application performs actions with more privileges than those intended by the developer or system administrator.

Usually, people refer to vertical escalation when it is possible to access resources granted to more privileged accounts (e.g., acquiring administrative privileges for the application), and to horizontal escalation when it is possible to access resources granted to a similarly configured account (e.g., in an online banking application, accessing information related to a different user).

Vulnerability exploitation

I have found this vulnerability in Hospital Management System — 4.0 of PHPGURUKUL.

Hospital Management System is a web application for the hospital which manages doctors and patients. In this project, they use PHP and MySQL database.
The entire project mainly consists of 3 modules, which are