| عنوان | code-projects Contact Management System in PHP unknown Authentication Bypass Issues |
|---|
| الوصف | Description:
The Contact Management System contains a complete lack of authentication and authorization controls for its CRUD endpoints. The application’s core write and delete operations (notably `create.php`, `update.php`, and `delete.php`) execute database changes without verifying the caller’s identity or permissions, and the web UI exposes destructive actions (e.g. deletion) via unauthenticated GET links (`delete.php?id=<id>`). As a result, any remote unauthenticated user can create, modify, or delete contacts and view the full contacts listing.
Affected components:
- `create.php` — unauthenticated creation of contacts via POST
- `update.php` — unauthenticated modification via POST
- `delete.php` — unauthenticated deletion via GET (no CSRF protection)
- `index.php`, `edit.php` — display and edit interfaces that assume authenticated use
Reproduction (example):
1. Visit `http://<host>/index.php` to view contacts (no authentication required).
2. Submit a POST to `http://<host>/create.php` with form fields (first, last, phone, etc.) to create a new record — request succeeds without credentials.
3. Trigger deletion by visiting `http://<host>/delete.php?id=1` — record is deleted without authentication or CSRF token.
4. Submit a POST to `http://<host>/update.php` with `id` and updated fields — modification succeeds without authentication.
Impact:
- Complete unauthorized access to application data (read/write/delete).
- Data integrity compromise, data loss, and business disruption.
- Attackers can combine this with XSS/CSRF to escalate impact (session theft, persistent backdoors).
- Exposure of sensitive data if database credentials (in source) are leaked.
References / Evidence:
- Review `create.php`, `update.php`, and `delete.php` in the application source; `delete.php` uses `$_GET['id']` and executes delete without checks. |
|---|
| المستخدم | imcoming (UID 95032) |
|---|
| ارسال | 30/01/2026 11:37 AM (3 أشهر منذ) |
|---|
| الاعتدال | 07/02/2026 03:57 PM (8 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 344875 [code-projects Contact Management System 1.0 CRUD Endpoint معرف توثيق ضعيف] |
|---|
| النقاط | 17 |
|---|