Title | GitHub Insurance Management System 1.0 Improper Access Controls |
---|
Description | Description:
The Life Insurance Management System (LIMS) contains an endpoint at editPayment.php that allows users to edit payment records. The payment records are accessed and modified using a recipt_no parameter in the URL, which corresponds to the payment records in the backend database.
Here I have found that the application does not properly enforce access control checks for the recipt_no parameter. By modifying the recipt_no parameter to reference a payment record that should not be editable (e.g., a record belonging to another user or one marked as non-editable), an unauthorized user can gain access to and modify the data of that payment record.
Steps to Reproduce:
Log in to the Life Insurance Management System (LIMS) and navigate to the payments section (payment.php).
Identify a payment that is editable and note its recipt_no value in the URL, e.g., http://127.0.0.1/life-insurance-management-system/lims/editPayment.php?recipt_no=1511987179_452089622.
Identify a payment that is not editable and note its recipt_no value, e.g., 1511988103_361528786.
Replace the recipt_no in the URL of the editable payment with the recipt_no of the non-editable payment and press Enter, e.g., http://127.0.0.1/life-insurance-management-system/lims/editPayment.php?recipt_no=1511988103_361528786.
Observe that the system allows you to access and edit the non-editable payment record.
Make changes to the payment record and save them.
Impact:
This vulnerability can allow an attacker to:
Modify payment records that should be restricted or read-only.
Gain unauthorized access to payment records of other users.
Potentially cause financial and data integrity issues within the system.
The impact of this vulnerability could be significant depending on the sensitivity of the payment data and the actions that unauthorized users can perform.
Recommendation:
To mitigate this vulnerability, the following actions should be taken:
Implement Proper Access Control: Ensure that the server-side application validates whether the logged-in user has the necessary permissions to edit or access the payment record associated with the recipt_no. This should be enforced through access control checks based on user roles or ownership of the records.
Use Indirect References: Instead of using direct object references like recipt_no, consider using indirect references or opaque tokens that do not reveal the actual record identifiers.
Validate User Permissions: Before allowing any modification, the system should validate whether the user has permission to edit the specific record. If the record is not editable, the system should return an error message and prevent further action.
Github link to application: https://github.com/nafisulbari/life-insurance-management-system |
---|
Source | ⚠️ http://127.0.0.1/life-insurance-management-system/lims/payment.php |
---|
User | fahadletsleep (ID 73320) |
---|
Submission | 08/18/2024 02:22 PM (2 months ago) |
---|
Moderation | 08/27/2024 02:26 PM (9 days later) |
---|
Status | Accepted |
---|
VulDB Entry | 275924 |
---|
Points | 20 |
---|