SourceCodester Pharmacy Sales and Inventory System Broken Access Control Vulnerability

A broken access control vulnerability has been identified in SourceCodester Pharmacy Sales and Inventory System version 1.0. The issue resides in the 'sell_statement' function of 'application/controllers/ShowForm.php', where improper access controls allow unauthenticated users to view sensitive sales records. This vulnerability can be exploited remotely, and a similar issue exists in the 'supplier_payment' endpoint, exposing supplier payment information.

Impact

Exploitation of this vulnerability allows unauthorized access to complete sales records, including sensitive details such as sales dates, invoice numbers, medicine names, unit prices, quantities sold, total amounts, discount amounts, and actual revenue received. This unauthorized access could lead to financial fraud, privacy violations, and regulatory compliance issues. Additionally, the same vulnerability in the 'supplier_payment' endpoint exposes supplier names, payment records, and financial due amounts.

Reproduction

To reproduce this vulnerability, open a web browser in incognito mode to ensure no active session is present. Then, directly access the vulnerable 'sell_statement' endpoint without logging in. The sales statement page will be fully accessible, displaying all sales records including date, invoice, medicine name, unit price, quantity, total amount, discount, and payment details. The same steps can be followed for the 'supplier_payment' endpoint, which will also be accessible without authentication, exposing supplier payment information.

Remediation

To address this vulnerability, fix the logical operator in the access control check by changing it to require proper authentication. Implement role-based access control to restrict access to sensitive information based on user roles. Additionally, add authentication middleware to protect all sensitive endpoints and conduct regular security audits to identify and fix similar vulnerabilities.