SourceCodester Loan Management System Business Logic Vulnerability Allowing Negative Penalty Rates

A business logic vulnerability has been identified in SourceCodester Loan Management System version 1.0. This issue arises from inadequate server-side validation, allowing administrators to create loan plans with negative penalty rates for overdue payments. Although the frontend restricts users from entering negative values in the 'Monthly Overdue Penalty' field, this limitation is not applied on the backend. An authenticated attacker can exploit this by manipulating the HTTP POST request to include a negative penalty rate, undermining the application's financial logic regarding overdue loans.

Impact

Exploitation of this vulnerability disrupts the application's financial calculations by allowing negative penalty rates, which can lead to incorrect deductions from borrowers' total payable amounts, creating financial discrepancies.

Reproduction

To reproduce this vulnerability, log into the application as an administrator and navigate to the Plan Management page. The frontend will block negative inputs in the 'Monthly Overdue Penalty' field. However, this restriction can be bypassed by sending a POST request to the 'ajax.php?action=save_plan' endpoint with a negative value for the 'penalty_rate' parameter. Once the request is processed, the negative penalty rate will be reflected in the system, confirming the vulnerability.