Bdtask Pharmacy Management System Authorization Bypass Vulnerability in User Profile Handler

An authorization bypass vulnerability has been identified in Bdtask Pharmacy Management System versions through 9.4. The issue resides in the User Profile Handler component, specifically within the '/user/edit_user/' file. The vulnerability allows authenticated users to access and manipulate the profiles of other users by altering the user ID in the URL. This exploitation is possible due to the application's lack of proper server-side authorization checks to verify if the user has the right permissions to access or edit the requested profile.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive user information, including data from administrative accounts. Additionally, it allows for profile modifications, such as changing email addresses or passwords, potentially leading to full account takeovers.

Reproduction

To reproduce this vulnerability, log into the application as a non-administrative user. Navigate to your own profile page, which will have a URL containing your user ID. Change the user ID in the URL to that of an administrator account and press Enter. The application will display the administrator's profile information, confirming the authorization bypass.

Remediation

It is recommended to implement server-side authorization checks to ensure that users can only access their own profiles or those of users with administrative roles.