SourceCodester Best House Rental Management System POST Request ajax.php improper authorization

Vulnerability

The Best House Rental Management System v1.0 from SourceCodester [2] contains an improper authorization vulnerability in the /rental/ajax.php?action=delete_tenant endpoint. The application fails to verify user authentication or authorization before processing a POST request to delete a tenant record. The id parameter is accepted without any session or permission check, allowing any remote attacker to delete arbitrary tenant entries. This affects version 1.0 as distributed by SourceCodester [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted POST request to /rental/ajax.php?action=delete_tenant with a valid tenant ID in the id parameter. No authentication or prior access is required. The request can be made from any remote location. The exploit has been publicly disclosed with a proof-of-concept payload [1]. For example, sending id=12 deletes the tenant with that ID.

Impact

Successful exploitation allows an attacker to delete any tenant record without authorization. This leads to loss of critical tenant data, disruption of business operations, and potential financial and reputational damage to the organization [1].

Mitigation

As of the publication date, no official patch has been released by SourceCodester. The vendor homepage [2] does not provide an update. The recommended mitigation is to implement proper authentication and authorization checks on the /rental/ajax.php?action=delete_tenant endpoint, ensuring only authenticated users with appropriate permissions can delete tenant records. Until a fix is available, administrators should restrict network access to the application or apply a web application firewall rule to block unauthorized requests to this endpoint [1].