Bdtask Bhojon All-In-One Restaurant Management System Insecure Price Manipulation Vulnerability

A business logic vulnerability has been identified in Bdtask Bhojon All-In-One Restaurant Management System versions prior to 20260116. The issue arises in the Add-to-Cart Submission Endpoint, specifically within the file '/hungry/addtocart'. The vulnerability allows remote attackers to manipulate pricing parameters, 'price' and 'allprice', leading to unauthorized discounts and potential financial losses. This exploitation is facilitated by the application's failure to validate user-supplied price data against server-side product information.

Impact

Exploitation of this vulnerability allows attackers to arbitrarily reduce item prices during the checkout process, causing direct financial losses to the business. Additionally, the manipulation of price values disrupts the calculation of taxes and totals, further exacerbating the financial impact. The vulnerability also enables automated exploitation, potentially allowing attackers to conduct mass price manipulation attacks.

Reproduction

To reproduce this vulnerability, send a POST request to the '/hungry/addtocart' endpoint with modified 'price' and 'allprice' parameters. The server will accept these tampered values without verification, applying them to the shopping cart and resulting in a logic error that favors the attacker.

Remediation

It is recommended to implement server-side validation of all pricing data, ensuring that submitted prices match the actual product prices stored in the database. Additionally, the application should log any attempts to manipulate pricing values.