LalanaChami Pharmacy Management System Unauthenticated API Access Vulnerability

A vulnerability exists in the LalanaChami Pharmacy Management System in commit 5c3d028, where API endpoints lack authentication middleware. This flaw allows unauthenticated remote attackers to access sensitive data and modify inventory. Exploitation can lead to unauthorized access to user records, including bcrypt password hashes, through the /api/user/getUserData endpoint. Additionally, attackers can alter drug inventory and retrieve private medical prescription data via the /api/doctorOder endpoint.

Impact

Exploitation of this vulnerability allows for unauthorized access to user data, including password hashes, modification of drug inventory, and access to private medical prescriptions. This could lead to a broader compromise of the pharmacy management system.

Reproduction

The vulnerability can be reproduced by sending unauthenticated requests to the affected API endpoints. User data can be accessed by calling the /api/user/getUserData endpoint, while drug inventory can be modified and private medical prescriptions accessed through the /api/doctorOder endpoint.