Skip to content

Sanka1pp/SourceCodester-Banking-CVE

BranchesTags

Repository files navigation

Security Advisory: SourceCodester Online Banking System v1.0

Packet Storm Severity Status

"Nice research! You drove a bus through this..."Packet Storm Security Staff

Advisory Property Details
Vendor SourceCodester
Product Online Banking Management System
Version 1.0
Vulnerability Count 5
Status Unpatched (0-Day)
Date January 2026

1. Executive Summary

Syntropy Security has identified five (3 Critical + 2 High) architectural vulnerabilities in the SourceCodester Online Banking System v1.0. These vulnerabilities demonstrate a complete breakdown of financial security controls. The flaws allow unauthenticated remote attackers to execute arbitrary code (RCE), bypass business logic to generate unlimited funds, and hijack administrative sessions.

Due to the severity of these findings (including Remote Code Execution and Financial Fraud), immediate remediation is recommended.

2. Vulnerability Index and Proof of Concept

The technical evidence for these findings is distributed across a comprehensive PDF report, specific exploit scripts, and video demonstrations.

Vulnerability Type Severity CVE ID Proof Artifacts & Documentation
Remote Code Execution (RCE)
(Authenticated SQL Injection)		 Critical Pending PDF Report (Section C)
Exploit Summary
Video Demonstration
Financial Logic Error
(Integer Overflow / Negative Transfer)		 Critical Pending PDF Report (Section A)
Video Demonstration
Concurrency Failure (Race Condition)
(Double Spending Attack)		 Critical Pending PDF Report (Section B)
Python Exploit (Race_Condition_Exploit.py)
Video Demonstration
Broken Access Control (IDOR)
(Unauthorized Dashboard Access)		 High Pending PDF Report (Section D)
Video Demonstration
Stored Cross-Site Scripting (XSS)
(Session Hijacking in Logs)		 High Pending PDF Report (Section E)
Video Demonstration

3. Technical Analysis

3.1 Remote Code Execution (CWE-89)

The application allows authenticated users to inject arbitrary SQL commands via the transfer.php endpoint. Specifically, the otherNo parameter allows for INTO OUTFILE injection, enabling an attacker to write a PHP web shell to the server document root and achieve full system compromise.

3.2 Financial Integrity Failures (CWE-190 & CWE-362)

  • Integer Overflow: The transfer logic fails to validate negative inputs. Authenticated users can transfer negative amounts (e.g., -500), effectively stealing funds from other accounts.
  • Race Condition: The transaction processing logic lacks atomic database locks (e.g., FOR UPDATE), allowing attackers to send simultaneous requests to spend the same balance multiple times (Double Spending).

3.3 Access Control Failures (CWE-639 & CWE-79)

Administrative dashboards (mindex.php) are accessible to unprivileged users via Forced Browsing (IDOR). Additionally, the audit logs (feedback.php) are vulnerable to Stored XSS, allowing attackers to hijack administrator sessions by injecting malicious JavaScript into feedback forms.

4. Attack Surface Map

Visualizing the exploitation paths discovered during the audit:

[ EXTERNAL ATTACKER ]
        │
        ├── (A) Unauthenticated SQL Injection ──> [ DATABASE DUMP ]
        │       (Target: get_doctor.php)
        │
        ├── (B) Authentication Bypass ──────────> [ ADMIN DASHBOARD ]
        │       (Target: /admin/ path)                   │
        │                                                ▼
        ├── (C) IDOR / Broken Access Control ───> [ PATIENT RECORDS (PHI) ]
        │       (Target: view-medhistory.php)
        │
        └── (D) Stored XSS / CSRF ──────────────> [ ACCOUNT TAKEOVER ]
                (Target: User Profile / Add Doctor)

5. Remediation Recommendations

This software is fundamentally insecure and should not be used in any production environment. Administrators are advised to:

  1. Network Isolation: Restrict access to the banking panel to trusted IP addresses only.
  2. Web Application Firewall (WAF): Deploy rules to block SQL injection patterns and negative integer inputs.
  3. Code Revision:
    • Wrap all balance updates in START TRANSACTION ... COMMIT blocks.
    • Reject all negative numbers at the API level.
    • Rewrite all queries using mysqli_prepare().

6. Remediation & Patch Analysis

The vendor has not released a patch. Below is the required code-level remediation for developers.

🛡️ Vulnerable vs. Secure Code Diff

SQL Injection Fix (Use PDO):

// VULNERABLE:
$sql = "SELECT * FROM doctors WHERE specilization = '".$_POST['specilizationid']."'";

// SECURE:
$stmt = $pdo->prepare("SELECT * FROM doctors WHERE specilization = :specid");
$stmt->execute(['specid' => $_POST['specilizationid']]);

Access Control Fix (Session Validation):

// VULNERABLE:
// No check at top of admin files.

// SECURE (Add to top of every /admin/ file):
session_start();
if ($_SESSION['role'] !== 'admin') {
    header("Location: /login.php");
    exit();
}

7. Credits

Research & Discovery: Sankalp Devidas Hanwate Organization: Syntropy Security

Citation & Reference

Permanent Link: Packet Storm Security Advisory

Researcher: Sankalp Devidas Hanwate (Syntropy Security)

License: Educational Use / Responsible Disclosure

To leverage this research for penetration testing or security training, please link back to this repository.

About

Syntropy Security's comprehensive security audit of the Online Banking Management System v1.0. Our assessment concludes that the application in its current state poses unacceptable risk to the organization. We identified five (5) critical security failures that would cause catastrophic financial loss and total operational paralysis if deployed.

Topics

penetration-testing rce zero-day race-conditions red-teaming idor integer-overflow source-code-review remote-code-execution-rce financial-security business-logic-abuse-patterns

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages