BFLA - Broken Function Level Authorization on Order Status
TaintedPort
Vuln ID
TP-025
Title
BFLA - Broken Function Level Authorization on Order Status
Severity
high
Type
Broken Access Control
HTTP Method
PUT
URL
/orders/:id/status
Parameter
is_admin
Filename
-
Code Location
backend/api/controllers/OrderController.php lines 78-81
Description
The order status update endpoint checks if is_admin=true was passed in the request body instead of verifying the user's actual role. Any user can change any order's status.
Proof of Concept
{"status": "cancelled", "is_admin": true} as any authenticated user.Remediation
Check admin status from the authenticated user (JWT or database), not from the request body.