CVE-2023-31704 – CVE-2023-31704 is an incorrect access control v... (How to Fix)

Q: What is the severity of CVE-2023-31704?

CVE-2023-31704 has a CVSS score of 9.8 (CRITICAL). CVE-2023-31704 is an incorrect access control vulnerability in Sourcecodester Online Computer and Laptop Store 1.0 that allows remote attackers to escalate privileges to administrator role. This affects all installations of version 1.0 of this PHP/MySQL e-commerce software. Attackers can gain full administrative control over the store.

📋 TL;DR

CVE-2023-31704 is an incorrect access control vulnerability in Sourcecodester Online Computer and Laptop Store 1.0 that allows remote attackers to escalate privileges to administrator role. This affects all installations of version 1.0 of this PHP/MySQL e-commerce software. Attackers can gain full administrative control over the store.

💻 Affected Systems

Products:

Sourcecodester Online Computer and Laptop Store

Versions: 1.0

Operating Systems: Any OS running PHP/MySQL

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of version 1.0 are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Online Computer And Laptop Store by Oretnom23

View all CVEs affecting Online Computer And Laptop Store →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the e-commerce system including customer data theft, financial fraud, website defacement, and installation of backdoors.

🟠

Likely Case

Unauthorized administrative access leading to data manipulation, order tampering, and potential data exfiltration.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, but still represents a significant authentication bypass.

🌐 Internet-Facing: HIGH - This is a web application typically exposed to the internet, allowing remote exploitation.

🏢 Internal Only: MEDIUM - If deployed internally only, risk is reduced but still significant for internal attackers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept code exists on GitHub. Exploitation appears straightforward based on available information.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a different e-commerce platform or implementing custom security fixes.

🔧 Temporary Workarounds

Implement custom access control validation

all

Add server-side authorization checks for all administrative endpoints

Manual code modification required - no single command

Web Application Firewall rules

all

Block requests to administrative endpoints from non-admin users

WAF-specific configuration required

🧯 If You Can't Patch

Isolate the application in a segmented network with strict access controls
Implement comprehensive logging and monitoring for privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check if running Sourcecodester Online Computer and Laptop Store version 1.0. Test if non-admin users can access admin.php or similar administrative endpoints.

Check Version:

Check PHP files for version information or review installation documentation

Verify Fix Applied:

Verify that non-admin users cannot access administrative functions and that proper session validation is implemented.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access to admin.php or similar administrative endpoints
User privilege changes from regular to admin
Failed authentication attempts followed by successful admin access

Network Indicators:

HTTP requests to administrative endpoints from non-admin IPs
Unusual patterns in user-agent or referrer headers

SIEM Query:

web_access_logs WHERE (uri CONTAINS 'admin' OR uri CONTAINS 'privilege') AND user_role != 'admin' AND response_code = 200

📊 Metadata

CVE ID: CVE-2023-31704

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: July 13, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/d34dun1c02n/CVE-2023-31704 Exploit,Third Party Advisory
https://www.sourcecodester.com/php/16397/online-computer-and-laptop-store-using-php-and-mysql-source-code-free-download.html Product
https://github.com/d34dun1c02n/CVE-2023-31704 Exploit,Third Party Advisory
https://www.sourcecodester.com/php/16397/online-computer-and-laptop-store-using-php-and-mysql-source-code-free-download.html Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-31704, you might also want to check these: