CVE-2025-70147 Overview
CVE-2025-70147 is a missing authentication vulnerability in ProjectWorlds Online Time Table Generator 1.0. The affected endpoints /admin/student.php and /admin/teacher.php fail to implement proper session validation, allowing unauthenticated remote attackers to access sensitive information including plaintext password field values through direct HTTP GET requests.
Critical Impact
Unauthenticated attackers can directly access administrative endpoints to retrieve sensitive user data including plaintext passwords, potentially compromising all student and teacher accounts in the system.
Affected Products
- ProjectWorlds Online Time Table Generator 1.0
- /admin/student.php endpoint
- /admin/teacher.php endpoint
Discovery Timeline
- 2026-02-18 - CVE-2025-70147 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2025-70147
Vulnerability Analysis
This vulnerability is classified under CWE-306 (Missing Authentication for Critical Function). The administrative endpoints in the Online Time Table Generator application lack proper authentication checks, meaning any user—including unauthenticated attackers—can directly access these pages without establishing a valid session. The vulnerability is network-accessible, requires no privileges or user interaction to exploit, and results in high confidentiality impact due to the exposure of sensitive user data including plaintext passwords.
Root Cause
The root cause of this vulnerability is the complete absence of session validation logic in the /admin/student.php and /admin/teacher.php files. These PHP scripts do not verify whether the requesting user has an authenticated session before processing the request and returning sensitive data. This is a fundamental broken access control issue where critical administrative functionality is exposed without any authentication gate.
Attack Vector
The attack vector is straightforward: an attacker can simply navigate directly to the vulnerable endpoints using standard HTTP GET requests. No authentication credentials, session tokens, or special headers are required. The attacker receives the full response containing sensitive information including student and teacher records with plaintext password values. This could be performed from any network location that can reach the web application.
The exploitation process involves:
- Identifying a target instance of ProjectWorlds Online Time Table Generator 1.0
- Sending a direct HTTP GET request to /admin/student.php or /admin/teacher.php
- Receiving the full administrative data response including plaintext credentials
- Using the harvested credentials for further unauthorized access
Detection Methods for CVE-2025-70147
Indicators of Compromise
- Unexpected HTTP GET requests to /admin/student.php or /admin/teacher.php from external IP addresses
- Access to administrative endpoints without corresponding successful login events
- High volume of requests to admin endpoints from single sources indicating automated credential harvesting
- Evidence of credential reuse attacks following exposure of plaintext passwords
Detection Strategies
- Implement web application firewall (WAF) rules to monitor and alert on unauthenticated access attempts to /admin/ paths
- Configure server access logs to flag requests to sensitive endpoints that lack session cookies or authentication tokens
- Deploy intrusion detection signatures for HTTP traffic patterns targeting the specific vulnerable endpoints
- Monitor for anomalous access patterns to administrative functions
Monitoring Recommendations
- Enable detailed access logging for all requests to the /admin/ directory
- Implement real-time alerting for any access to /admin/student.php or /admin/teacher.php without valid authentication
- Review web server logs regularly for evidence of exploitation attempts
- Monitor for credential stuffing attacks that may indicate previously harvested credentials are being used
How to Mitigate CVE-2025-70147
Immediate Actions Required
- Restrict network access to the application by placing it behind a VPN or firewall until patched
- Implement HTTP Basic Authentication at the web server level for the /admin/ directory as a temporary measure
- Force password resets for all user accounts if there is any indication the vulnerability has been exploited
- Review access logs to identify potential prior exploitation
Patch Information
No official vendor patch has been identified for this vulnerability at this time. Organizations using ProjectWorlds Online Time Table Generator 1.0 should contact the vendor for remediation guidance or implement the workarounds described below. For more information about the vulnerability, see the Young Kevin CVE-2025-70147 Analysis and the Project Worlds Tool Overview.
Workarounds
- Add server-level authentication using .htaccess to protect the /admin/ directory
- Implement network-level restrictions to allow administrative access only from trusted IP addresses
- Consider taking the application offline if it contains sensitive data until proper authentication can be implemented
- Manually add PHP session validation code to the vulnerable files as a code-level fix
# Apache .htaccess workaround for /admin/ directory
# Place this file in the /admin/ directory
AuthType Basic
AuthName "Restricted Admin Area"
AuthUserFile /path/to/.htpasswd
Require valid-user
# Deny all requests without authentication
Order deny,allow
Deny from all
Allow from 127.0.0.1
Satisfy any
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
