Executive Summary

This vulnerability is a Business Logic flaw in the SourceCodester Loan Management System version 1.0. It occurs because the server does not properly validate input on the backend when administrators create loan plans with specific interest rates.

While the frontend interface prevents users from entering negative interest rates by blocking such input, this restriction is not enforced on the server side. An authenticated attacker can bypass the frontend validation by manipulating the HTTP POST request to submit a negative value for the interest_percentage parameter.

As a result, loan plans with negative interest rates can be created, which violates the system's financial logic and can cause incorrect loan calculations.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by corrupting financial data integrity within the Loan Management System.

It disrupts the business logic by allowing loan calculations to yield incorrect or negative interest amounts.

If such loan plans with negative interest rates are applied to real loans, it could lead to financial loss because the system might deduct money instead of adding interest.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to create a loan plan with a negative interest rate via a manipulated HTTP POST request to the endpoint ajax.php?action=save_plan. Since the frontend blocks negative values but the backend does not validate them, sending a crafted POST request with a negative interest_percentage value will reveal if the system is vulnerable.

A practical detection method is to use a curl command to send such a request and observe if the system accepts the negative interest rate.

• curl --compressed -s -i -X POST 'http://127.0.0.1:8082/ajax.php?action=save_plan' \
• -F "id=" \
• -F "months=12" \
• -F "interest_percentage=-5.5" \
• -F "penalty_rate=2" \
• -w "\nHTTP_STATUS:%{http_code}" \
• -H "Cookie: PHPSESSID=YOUR_COOKIE_HERE"

If the response indicates success and the loan plan is created with a negative interest rate, the vulnerability exists.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include implementing proper server-side validation to reject any negative values for the interest_percentage parameter when creating loan plans.

Since the frontend validation can be bypassed, the backend must enforce constraints to ensure that only valid, non-negative interest rates are accepted.

Additionally, review and sanitize all inputs on the server side to prevent manipulation of business logic.

If possible, temporarily restrict administrator access or monitor logs for suspicious POST requests attempting to submit negative interest rates until a patch or update is applied.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0