hotel-mgmt-system has an improper authentication logic vulnerability

## PoC - Proof of Concept

---

Initially, accessing the application's login page

![image](https://github.com/user-attachments/assets/4347e132-b1d4-4d51-a675-4ffd7c587386)

Next, intercepting the request using Burp Suite and sending a login request with an invalid, random password.

![image 1](https://github.com/user-attachments/assets/1ddf1e19-6c16-4cad-a7a2-182777255d11)

Sending the request to the application successfully logs in, even with an incorrect password.

![image 2](https://github.com/user-attachments/assets/2cc31ded-8341-41d6-ae74-6a477aa66bf1)

## Code Review

---

When a user sends a login request, the `process_login.php` endpoint is called.

Upon reviewing the code, we can see that the function responsible for checking if the password is correct is `isPasswordMatchWithEmail`. If this function returns `false`, the password is considered incorrect.

![image 3](https://github.com/user-attachments/assets/e19ef914-c28a-4708-b22b-483505d90087)


However, upon inspecting the implementation of this function in `CustomerHandler.php`, it is evident that it returns a **string** instead of a boolean value.

![image 4](https://github.com/user-attachments/assets/87eeeb23-40c0-4080-b670-1aae62263751)


As a result, whenever the function returns any **non-empty string**, PHP interprets it as `true`, allowing the login process to proceed even when the password is incorrect.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

hotel-mgmt-system has an improper authentication logic vulnerability #33

PoC - Proof of Concept

Code Review

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

hotel-mgmt-system has an improper authentication logic vulnerability #33

Description

PoC - Proof of Concept

Code Review

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions