| عنوان | Source Code & Projects PHP N/A Insecure Direct Object Reference |
|---|
| الوصف | In viewdoctortimings.php, the Online Hospital Management System contains an Insecure Direct Object Reference (IDOR) vulnerability that allows a low-privileged user to delete doctor timing records belonging to other doctors. The script processes a delid parameter from the URL to delete a doctor_timings record, but it performs no ownership check to verify that the record actually belongs to the currently authenticated doctor. Additionally, the deletion logic is executed without any session validation, meaning the endpoint may even be reachable by unauthenticated users. |
|---|
| المصدر | ⚠️ https://github.com/Carm3nc1ta/vuln-test/blob/main/Online%20Hospital%20Management%20System%20has%20IDOR%20vulnerability%20in%20viewdoctortimings_php.md |
|---|
| المستخدم | Ever1etY (UID 98199) |
|---|
| ارسال | 12/05/2026 08:22 PM (28 أيام منذ) |
|---|
| الاعتدال | 31/05/2026 08:06 PM (19 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 367592 [code-projects Online Hospital Management System 1.0 viewdoctortimings.php delid تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|