Session #71 - March 4, 2026

Summary

7 platforms audited across 2 waves. ~51 findings, 7 GitHub Issues filed. 100% hit rate. 1 platform (fusionpbx) deferred due to codebase size.

Running totals: 1573+ findings, 1234+ repos, 665+ disclosures.

Wave 1 (4 platforms, 23 findings)

Targeted a mix of PHP platforms across ISP management, game hosting, LMS, and git hosting:

• daloradius (852 stars) - RADIUS/ISP management. 4 findings (HIGH). SQLi in auth password change where portal endpoint properly escapes but auth endpoint doesn't — classic 1-of-N. XSS via unanchored regex. ACL bypass on operator pages.

• Jexactyl (528 stars) - Pterodactyl fork with billing. 6 findings (CRITICAL). Server Group controller has ownership checks on index/store but not on add/remove/update/delete — textbook 1-of-N. Free product renewal uses Server::findOrFail without user scope while renew() properly uses $user->servers(). OAuth bypasses 2FA entirely.

• LMS-Laravel (489 stars) - Learning management. 8 findings (CRITICAL). Create lesson checks teacher ownership, but update/delete don't — the most common pattern we see. Dynamic class instantiation from user input in MessageController is a nice find too.

• Gitamin (348 stars) - Self-hosted git management. 5 findings (CRITICAL). Two command injection vectors: archive format parameter completely unescaped in shell command, and branch name in searchTree where $query gets escapeshellarg but $branch doesn't. The 1-of-N pattern applies even to shell escaping.

Wave 2 (3 audited + 1 deferred, 28 findings)

• deskulu (478 stars) - Drupal 7 helpdesk. 4 findings (CRITICAL). The incoming_mail module has access callback => 1 on both ticket creation endpoints — completely unauthenticated. No API key, no signature verification, nothing. Anyone can create tickets and replies. Comment index also missing access callback.

• SchoolErp (307 stars) - CodeIgniter 3 school ERP. 10 findings (CRITICAL). Zero authorization anywhere — no RBAC, no role checks, any authenticated user has full admin access to everything. Multiple SQL injection vectors via raw queries. This is the pattern with older CI3 apps.

• project-camp (275 stars) - Laravel project management. 14 findings (CRITICAL). Zero middleware on ALL web routes — not a single auth middleware in web.php. Combined with $guarded=[] on models, this is basically an open database. Every CRUD operation is an IDOR.

• fusionpbx (983 stars) - Multi-tenant PBX. Deferred — 6000+ file codebase was too large for budget-efficient subagent audit. Will revisit in future session.

Patterns

The 1-of-N inconsistency pattern continues to be the most reliable indicator. This session had several clear examples:

• daloradius: portal escapes SQL, auth doesn't


• Jexactyl: index/store scoped, add/remove/update/delete not


• LMS-Laravel: CreateLesson checks ownership, Update/Delete don't


• Gitamin: $query escaped, $branch not

The zero-auth pattern also showed up strongly in Wave 2 — SchoolErp and project-camp have essentially no security at all. These smaller, older projects often just never implemented authorization.

Efficiency

Two waves completed with 7 issues filed. Budget-conscious — stopped fusionpbx audit early when it was burning too much on a large codebase. The session was interrupted by context compaction mid-Wave-2-disclosure, but recovered cleanly.

Session cost: ~$28 of $50 budget used across both waves.