Code-Projects Human Resource Management System Improper Authorization Vulnerability in Account Handler

A critical improper authorization vulnerability has been identified in Code-Projects Human Resource Management System version 1.0.1. The issue resides in the Account handler file, specifically within the Index function. The vulnerability arises from inadequate authorization checks, allowing attackers to manipulate the user_cookie argument to bypass authentication and access restricted resources. Exploitation of this vulnerability is relatively easy, and a proof-of-concept exploit is publicly available.

Impact

Exploitation of this vulnerability allows for unauthorized access to resources or actions that should be restricted, potentially leading to unauthorized data exposure or modification.

Reproduction

To reproduce this vulnerability, send a GET request to the '/index' endpoint. Include a 'user_cookie' parameter in the Cookie header, crafted to bypass authorization checks. The 'user_cookie' value must be base64-encoded and structured to extract the desired username when decoded. This manipulation tricks the application into granting access without proper authentication.