PHPEMS Race Condition Vulnerability in Purchase Request Handler

A race condition vulnerability has been identified in PHPEMS versions through 11.0, specifically within the Purchase Request Handler component. This vulnerability allows an attacker to exploit the points consumption process by sending multiple concurrent requests to purchase the same course, using the same points. As a result, the attacker can gain unauthorized access to paid courses or virtual assets without the corresponding points deduction. If the platform's points can be converted to real currency or are purchased, this could lead to direct financial losses for the platform.

Impact

Exploitation of this vulnerability allows for unauthorized access to paid courses or virtual assets, with potential economic losses if the platform's points have real monetary value.

Reproduction

To reproduce this vulnerability, first obtain a valid PHPEMS user account with sufficient points. Then, create a course that requires points for purchase. Intercept the purchase request using Burp Suite and import it into Burp Suite Turbo Intruder. Load a race condition script and send multiple concurrent requests. Finally, verify that the course has been purchased multiple times without a proportional deduction of points.

Remediation

It is recommended to implement database row-level locking for points consumption operations, add real-time validation of points balance before transactions, introduce a transaction log mechanism to record and verify points consumption events, and restrict the frequency of concurrent requests for points-consuming actions.