Detronetdip E-commerce Unauthenticated Account Creation Vulnerability

A vulnerability exists in Detronetdip E-commerce version 1.0.0, specifically within the account creation endpoint for sellers. The issue arises in the file '/Admin/assets/backend/seller/add_seller.php', where the application fails to authenticate requests. This flaw allows unauthenticated users to create seller accounts by manipulating the 'email' parameter. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows for unauthorized account creation, bypassing any frontend approval processes. This could lead to unauthorized access to seller privileges on the platform.

Reproduction

To reproduce this vulnerability, send a POST request to '/Admin/assets/backend/seller/add_seller.php' without authentication. Include the 'email', 'pass', and 'mobile' parameters in the request. The server will respond with '1', indicating that the account has been successfully created.

Remediation

To address this vulnerability, implement session validation checks in the 'add_seller.php' and 'add_user.php' files. Ensure that the scripts verify if the user is an authenticated administrator before processing account creation.