| 제목 | PHPGurukul Hospital Management System v1.0 Missing Authorization |
|---|
| 설명 | The Django PHPGurukul Hospital Management System fails to implement server-side authorization checks on admin endpoints. Lower-privileged users (Doctor: user_type=2, Patient: user_type=3) can directly access admin functionality by manually changing the URL path from their respective dashboards to admin paths.
Example: Patient logged in → URL: /Pat/PatHome Manually change to → URL: /Admin/AdminHome Result: Patient sees admin dashboard and can perform admin actions
The vulnerability exists following path: http://127.0.0.1:8000/Admin/AdminHome
Successful exploitation of this vulnerability allows any authenticated user, including patients and doctors, to bypass authorization controls and gain unauthorized access to administrative and restricted functionality within the application. An attacker can escalate privileges by directly manipulating URL paths, resulting in administrative access without possessing administrative credentials. This enables unauthorized users to view, modify, and delete sensitive data across the system.
The impact includes unauthorized disclosure of sensitive healthcare information, such as patient personal and medical records, leading to severe confidentiality breaches and potential violations of healthcare data protection regulations. Additionally, attackers can perform unauthorized data modification and deletion, compromising data integrity and system reliability.
|
|---|
| 원천 | ⚠️ https://github.com/rsecroot/Hospital-Management-System/blob/main/Broken%20Access%20Control.md |
|---|
| 사용자 | hackerfactory (UID 85869) |
|---|
| 제출 | 2026. 01. 15. PM 04:57 (3 개월 ago) |
|---|
| 모더레이션 | 2026. 01. 28. PM 05:55 (13 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 343246 [PHPGurukul Hospital Management System 1.0 Admin Dashboard Page adminviews.py 권한 상승] |
|---|
| 포인트들 | 20 |
|---|