SourceCodester Online Eyewear Shop Access Control Vulnerability in Registration Handler

An access control vulnerability has been identified in SourceCodester Online Eyewear Shop version 1.0. The issue resides in the registration handler, specifically within the file '/oews/classes/Master.php?f=save_product'. The vulnerability allows for arbitrary user registration by manipulating the 'email' parameter, bypassing access controls and potentially leading to unauthorized account creation. This exploitation can be performed remotely and has been publicly disclosed.

Impact

Exploitation of this vulnerability allows for unauthorized user registration, which can lead to resource exhaustion on the server due to the creation of multiple accounts.

Reproduction

To reproduce this vulnerability, send a POST request to '/oews/classes/Users.php?f=registration' with the 'email' parameter set to a unique email address. As long as different email addresses are used, multiple accounts can be registered without any restrictions. This vulnerability can also be exploited in batches using the Intruder module of Burp Suite.