A critical information disclosure vulnerability has been identified in the SourceCodester Simple Online Book Store System. This flaw allows any remote, unauthenticated attacker to download a complete backup of the application's database, leading to the exposure of all stored data, including user credentials and sensitive information.

The application incorrectly stores a full database backup file (obs_db) in a web-accessible directory. An unauthenticated remote attacker can exploit this vulnerability by sending a standard HTTP GET request to the known path /obs/database/obs_db. The server will respond with the full contents of the database file, which includes the database schema, all user data, and credential hashes, requiring no authentication or specialized tools.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation would result in a complete loss of data confidentiality for the affected application. The consequences include the exposure of customer Personally Identifiable Information (PII), user account credentials (hashed), and other sensitive business data. This could lead to significant reputational damage, loss of customer trust, regulatory fines, and further system compromise if attackers crack the credential hashes and use them for credential stuffing attacks against other services.

Immediate Action: Apply the vendor-provided security updates immediately to remove the exposed backup file and prevent its future creation in web-accessible locations. After patching, verify that the /obs/database/obs_db path is no longer accessible.

Proactive Monitoring: Review historical and current web server access logs for any GET requests to the /obs/database/obs_db URI. Any access attempts from untrusted IP addresses should be considered an indicator of compromise, and an incident response investigation should be initiated to determine the extent of the data breach.

Compensating Controls: If immediate patching is not feasible, implement a rule on a Web Application Firewall (WAF) or the web server itself to explicitly block all access to the /obs/database/ directory and the obs_db file. As an alternative, the backup file can be manually removed from the webroot and backup procedures can be reconfigured to store backups in a secure, non-web-accessible location.

Public Exploit Available: true

Given the high severity (CVSS 7.5) and the trivial nature of exploitation, this vulnerability poses a critical and immediate risk to the organization. We strongly recommend applying the vendor patch on all affected systems without delay. Furthermore, it is imperative to conduct a forensic review of web server logs to determine if this vulnerability has been exploited prior to remediation, as a data breach should be assumed until proven otherwise.