SourceCodester Pharmacy Product Management System Business Logic Vulnerability Allowing Negative Financial Values

A business logic vulnerability has been identified in SourceCodester Pharmacy Product Management System version 1.0. The issue resides in the add-stock.php file, where the application fails to properly validate the 'txtprice' and 'txttotalcost' parameters during stock entry. This lack of validation allows negative financial values to be submitted, leading to corruption of financial records. Attackers could manipulate inventory asset values and procurement costs by injecting negative prices, causing significant discrepancies in the application's financial reporting.

Impact

Exploitation of this vulnerability could result in financial reporting fraud by artificially inflating profits and distorting the cost of goods sold. Additionally, it corrupts database records related to procurement costs and can be used to offset unauthorized inventory removals by manipulating the cost basis.

Reproduction

To reproduce this vulnerability, deploy the Pharmacy Product Management System locally and log into the application. Navigate to the 'Add Stock' page and intercept the 'Save' request using a proxy tool. Modify the 'txtprice' and 'txttotalcost' parameters to include negative values before submitting the request.