SourceCodester Pet Grooming Management Software Improper Access Control Vulnerability

A vulnerability allowing improper authorization has been identified in SourceCodester Pet Grooming Management Software version 1.0. The issue resides in the User Management component, specifically within the file '/admin/operation/user.php'. The vulnerability allows an authenticated user to create an administrator account by manipulating the 'group_id' argument. This exploitation can be done remotely, and the details of the exploit are publicly available.

Impact

Exploitation of this vulnerability leads to unauthorized privilege escalation, allowing a user to gain full administrative rights within the application. This includes the ability to manage other users, access and modify data, and change system settings, significantly increasing the risk of compromising the entire system.

Reproduction

To reproduce this vulnerability, log in as a normal user and capture an authenticated request using a tool like Burp Suite. Copy the session cookie and send a crafted request to the admin-only user creation endpoint, including the manipulated 'group_id' argument. Once the request is submitted, log in with the newly created admin credentials to gain access.