Unprotected admin functionality

Description

This lab has an unprotected admin panel.

Reproduction and proof of concept

1. Go to the lab and view robots.txt by appending /robots.txt to the lab URL. Notice that the Disallow line discloses the path to the admin panel.

2. In the URL bar, replace /robots.txt with /administrator-panel to load the admin panel.

3. Delete carlos.

Exploitability

An attacker will need to delete the user carlos.