SourceCodester eDoc Doctor Appointment System Missing Authorization Vulnerability in delete-session.php

A missing authorization vulnerability exists in SourceCodester eDoc Doctor Appointment System version 1.0. The issue is located in the admin/delete-session.php file, where the ID parameter can be manipulated without proper authorization checks. This vulnerability allows remote, unauthenticated attackers to delete appointment or session records by exploiting the flawed authorization process.

Impact

Exploitation of this vulnerability allows for unauthorized deletion of appointment or session records via the admin/delete-session.php endpoint.

Reproduction

The vulnerability can be reproduced by sending a request to the admin/delete-session.php endpoint with an ID parameter. The absence of authorization checks will result in the deletion of the specified session or appointment record, confirming the vulnerability.

Remediation

To address this vulnerability, it is recommended to enforce authentication and authorization checks for all administrative endpoints, validate user roles before processing delete operations, restrict direct access to sensitive administrative functionality, and implement centralized access control middleware.