SourceCodester Pharmacy Product Management System Overselling Vulnerability

A business logic vulnerability has been identified in SourceCodester Pharmacy Product Management System version 1.0. The issue resides in the add-sales.php file, where the application does not properly validate if the requested quantity of sales (txtqty) exceeds the available stock. This flaw allows an attacker to manipulate the request and purchase quantities significantly higher than what is in stock. As a result, the system may process transactions that lead to negative inventory levels or create orders that cannot be fulfilled, causing a denial-of-service for legitimate customers.

Impact

Exploitation of this vulnerability can corrupt inventory records by creating negative stock values, allow the placement of unfulfillable orders, and potentially disrupt service for legitimate customers by depleting available inventory.

Reproduction

To reproduce this vulnerability, deploy the Pharmacy Product Management System locally and identify a product with low stock, such as 'Panadol' with only one unit remaining. Intercept the 'Add Sales' request and modify the 'txtqty' parameter to a value significantly higher than the available stock, such as '1000'.