Code-Projects Client Details System Authorization Bypass Vulnerability

An authorization bypass vulnerability has been identified in Code-Projects Client Details System version 1.0. This vulnerability allows any authenticated user to access admin functionalities without proper authorization. The issue arises because the application only checks if a user is logged in, without enforcing roles or permissions. As a result, sensitive information such as client personal identifiable information (PII) and plaintext passwords can be exposed. Additionally, the vulnerability allows unauthorized deletion or modification of records through crafted URLs.

Impact

Exploitation of this vulnerability leads to unauthorized access to admin pages, allowing regular users to view and modify sensitive client information and passwords. It also enables unauthorized changes to records, effectively allowing a breach of trust in data management.

Reproduction

To reproduce this vulnerability, log into the application as any user. Once logged in, access the admin 'Client Details' and 'Manage Users' pages. The absence of role-based access control will be evident, as these pages should only be available to admin users. The vulnerability can also be demonstrated by modifying GET parameters to delete or change records, bypassing authorization checks.