Code-Projects Smart Parking System Missing Authentication Vulnerability in Admin Endpoints

A vulnerability allowing unauthenticated access to critical admin functions has been identified in Code-Projects Smart Parking System version 1.0. The issue arises from multiple admin endpoints that lack proper authentication, enabling remote attackers to perform privileged actions without any session or credentials. Exploitation of this vulnerability could lead to unauthorized creation of attendant accounts, manipulation of parking records, and exposure of personal customer information.

Impact

Exploitation of this vulnerability grants full access to the admin panel, allowing unauthorized users to perform all administrative functions. It also enables the deletion and modification of parking records, creation of rogue attendant accounts, and unauthorized access to personal information of customers and attendants, including emails, booking history, and other private details.

Reproduction

To reproduce this vulnerability, open a new browser session without any active cookies or session tokens. Navigate to the application root to confirm the absence of an active session. Then, directly access any of the vulnerable admin endpoints, such as 'attendant.php' to create a rogue attendant account, 'edit.php' to modify parking records, 'basic_table.php' to delete parking records, 'basic_table2.php' to access all attendant personal information, or 'admin_request.php' to retrieve customer booking data.

Remediation

To address this vulnerability, implement session authentication checks at the beginning of each admin-facing PHP file. Ensure that the session is validated to confirm the user has the appropriate admin privileges before granting access to the admin functionalities.