Submit #485005: Sourcecodester Best employee management system NA Improper Privilege Managementinfo

TitleSourcecodester Best employee management system NA Improper Privilege Management
DescriptionThe application fails to enforce proper access controls on sensitive administrative functionalities. A lower-privileged user can directly access the administrative endpoint (http://localhost/_hr_soft/admin/View_user.php) by appending the path to the URL. This allows the user to perform actions such as creating, deleting, and viewing employees, which should be restricted to administrative accounts. This weakness exposes the application to unauthorized privilege escalation and potential data misuse. ial data misuse. You said: give me a step wise explnation ChatGPT said: ChatGPT Steps to Reproduce the Vulnerability: Log in as Admin (Optional): Log in to the application using an admin account to verify the functionalities of creating, viewing, and deleting employees via the administrative panel at http://localhost/_hr_soft/admin/View_user.php. Log in as a Lower-Privileged User: Log out of the admin account and log in as a lower-privileged user (e.g., a standard employee user). Confirm that this user does not have access to the administrative functionalities in the application's user interface. Manipulate the URL: Append the admin panel path (/admin/View_user.php) to the base URL (http://localhost/_hr_soft/). Example: http://localhost/_hr_soft/admin/View_user.php. Verify Access: Navigate to the manipulated URL while logged in as the lower-privileged user. Observe that the restricted admin functionalities, such as creating, viewing, and deleting employees, are accessible without proper authorization. Test Functionality Misuse: Perform actions such as deleting or creating employee records to confirm that the lower-privileged user can execute admin-level operations. Document the Impact: Note that this behavior violates the principle of least privilege and allows unauthorized actions, which can lead to data integrity and security issues.
Source⚠️ https://github.com/theanm0l/VulnDB/blob/main/Improper%20Authorization.md
User
 Anonymous User
Submission01/18/2025 16:37 (1 Year ago)
Moderation01/28/2025 15:47 (10 days later)
StatusAccepted
VulDB entry293923 [SourceCodester Best Employee Management System 1.0 Administrative Endpoint /admin/View_user.php access control]
Points20

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!