SourceCodester Loan Management System Business Logic Vulnerability Allowing Negative Loan Durations

A business logic vulnerability has been identified in SourceCodester Loan Management System version 1.0. The issue arises from inadequate input validation, allowing administrators to create 'Loan Plans' with negative durations. The backend fails to ensure that the duration, specified in months, is a positive integer. As a result, an attacker can submit a negative value for the 'months' parameter, leading to the creation of a loan plan with an invalid duration. This flaw can disrupt loan scheduling, due date calculations, and cause database inconsistencies.

Impact

Exploiting this vulnerability creates logically invalid loan plans, corrupting time-dependent calculations and potentially causing system errors or instability when processing payments.

Reproduction

To reproduce this vulnerability, send a POST request to 'ajax.php?action=save_plan' with a negative value for the 'months' parameter. Include the 'interest_percentage' and 'penalty_rate' parameters as well. The server will accept the request and create a loan plan with the negative duration, despite it being logically invalid.