PHPEMS Race Condition Vulnerability in Coupon Handler Component

A race condition vulnerability has been identified in PHPEMS versions through 11.0, specifically within the Coupon Handler component. This vulnerability allows remote attackers to manipulate coupon recharge operations, exploiting the absence of proper atomicity checks. By sending multiple concurrent requests with the same coupon code, an attacker can repeatedly recharge accounts, leading to unauthorized accumulation of virtual assets. If the coupons have real monetary value, this could result in direct financial losses.

Impact

Exploitation of this vulnerability allows for repeated use of coupon codes, leading to unauthorized recharges of virtual assets. If these assets can be converted to real currency, it could result in financial losses.

Reproduction

To reproduce this vulnerability, first obtain a valid coupon code and create multiple user accounts. After retrieving the cookie values for each account, add these cookies to a script's 'cookies_list', replacing 'TARGET_COUPONSN' with the valid coupon code. Execute the script to initiate the race condition, recharging all accounts with a single coupon code.

Remediation

It is recommended to implement database row-level locking for coupon recharge operations, add real-time validation of coupon usage status, and restrict the frequency of recharge requests.