SourceCodester Best Employee Management System Administrative Endpoint View_user.php access control

Vulnerability

In SourceCodester Best Employee Management System 1.0, the endpoint /admin/View_user.php lacks proper authorization checks. This allows any authenticated user, regardless of privilege level, to access administrative functionalities such as viewing, creating, and deleting employee records. The vulnerability is classified as critical and affects the administrative panel component [1].

Exploitation

An attacker only needs a valid user account with low privileges (e.g., a standard employee). The exploit involves appending /admin/View_user.php to the application base URL (e.g., http://localhost/_hr_soft/admin/View_user.php) after logging in with the low-privileged account. No additional authentication or special conditions are required. The attacker can then perform admin-level operations such as deleting or creating employee records [1].

Impact

Successful exploitation violates the principle of least privilege, allowing unauthorized administrative actions. This compromises data integrity (unauthorized modification or deletion of employee records) and can lead to further security breaches. The attacker gains admin-level capabilities without proper authorization [1].

Mitigation

As of the publication date (2025-01-29), no official patch has been released. The vendor (SourceCodester) has not provided a fix or workaround. Users should implement access control checks at the server level, restrict direct access to /admin/ endpoints based on user roles, and monitor for unauthorized activity. The vulnerability is publicly disclosed, increasing the risk of exploitation [1][2].