SourceCodester Indian Invoicing System Broken Access Control Vulnerability

A broken access control vulnerability has been identified in SourceCodester Indian Invoicing System version 1.0. The issue resides in the backend endpoint, where several administrative pages are improperly secured. The backend only verifies session validity, allowing any authenticated user to access and modify core business records such as customer, category, state, and company profile data. This vulnerability can be exploited remotely and has been publicly disclosed.

Impact

Exploitation of this vulnerability allows low-privilege users to unauthorizedly access and edit administrative pages, potentially leading to the manipulation of critical business data.

Reproduction

To reproduce this vulnerability, an authenticated user session can be used to access the vulnerable endpoints directly. The absence of proper role validation allows non-admin users to reach and edit sensitive information on these pages.

Remediation

It is recommended to enforce role-based access controls by requiring admin privileges for all administrative pages. Additionally, auditing all create, read, update, and delete views to ensure proper backend role checks are in place is advised. Logging privileged actions to maintain an audit trail of edits to master data can also enhance accountability.