| Titel | PHPGurukul Hospital Management System v1.0 Missing Authorization |
|---|
| Beschreibung | The Django PHPGurukul Hospital Management System fails to implement server-side authorization checks on admin endpoints. Lower-privileged users (Doctor: user_type=2, Patient: user_type=3) can directly access admin functionality by manually changing the URL path from their respective dashboards to admin paths.
Example: Patient logged in → URL: /Pat/PatHome Manually change to → URL: /Admin/AdminHome Result: Patient sees admin dashboard and can perform admin actions
The vulnerability exists following path: http://127.0.0.1:8000/Admin/AdminHome
Successful exploitation of this vulnerability allows any authenticated user, including patients and doctors, to bypass authorization controls and gain unauthorized access to administrative and restricted functionality within the application. An attacker can escalate privileges by directly manipulating URL paths, resulting in administrative access without possessing administrative credentials. This enables unauthorized users to view, modify, and delete sensitive data across the system.
The impact includes unauthorized disclosure of sensitive healthcare information, such as patient personal and medical records, leading to severe confidentiality breaches and potential violations of healthcare data protection regulations. Additionally, attackers can perform unauthorized data modification and deletion, compromising data integrity and system reliability.
|
|---|
| Quelle | ⚠️ https://github.com/rsecroot/Hospital-Management-System/blob/main/Broken%20Access%20Control.md |
|---|
| Benutzer | hackerfactory (UID 85869) |
|---|
| Einreichung | 15.01.2026 16:57 (vor 3 Monaten) |
|---|
| Moderieren | 28.01.2026 17:55 (13 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 343246 [PHPGurukul Hospital Management System 1.0 Admin Dashboard Page adminviews.py erweiterte Rechte] |
|---|
| Punkte | 20 |
|---|