SourceCodester Web-Based Pharmacy Product Management System Session Management Vulnerability

A vulnerability exists in SourceCodester Web-Based Pharmacy Product Management System version 1.0, where active sessions are not invalidated after an admin account is deleted. This flaw allows continued access to administrative features through the old session, bypassing access controls and potentially leading to unauthorized actions or data exposure.

Impact

Exploitation of this vulnerability allows for a privilege revocation bypass, enabling continued administrative access after an account has been deleted. This could result in unauthorized access to sensitive system data and functionalities.

Reproduction

To reproduce this vulnerability, log in as a super admin and create an admin account. After logging in as the newly created admin, delete the account from the super admin dashboard. The session for the deleted admin account will remain active, allowing access to the admin dashboard and its features.

Remediation

It is recommended to invalidate all active sessions when a user account is deleted and to implement centralized authorization checks to enforce consistent access control.