SourceCodester Web-Based Pharmacy Product Management System Incorrect Access Control Vulnerability

A vulnerability allowing incorrect access control has been identified in SourceCodester Web-Based Pharmacy Product Management System version 1.0. This issue enables low-privileged users to impersonate high-privileged users, such as administrators, and execute sensitive actions, including the addition of new users.

Impact

Exploitation of this vulnerability could lead to unauthorized user creation, potentially allowing for elevated privileges or access to restricted functionalities.

Reproduction

To reproduce this vulnerability, log into the application as an admin user and add a new user. Then, open an incognito browser and log in as a low-privileged user, such as the one just created. This user will only have access to personal information and will not be able to add new users. Next, capture the admin user's data package, including the session cookie, and replace the low-privileged user's cookie with the admin data package. This will grant the low-privileged user admin privileges, allowing them to add new users.