| Título | SourceCodester Leave Application System in PHP and SQLite3 1.0 Improper Authorization |
|---|
| Descripción | The Leave Application System in PHP and SQLite3 is vulnerable to an Insecure Direct Object Reference (IDOR) vulnerability in the user management functionality.
The application allows authenticated users to access and modify other user accounts by manipulating the id parameter in the URL.
Example vulnerable endpoint:
?page=manage_user&id=1
By changing the id parameter value, attackers can access other users' accounts:
?page=manage_user&id=2
?page=manage_user&id=3
The application loads different user profiles based solely on the ID value without performing proper authorization checks.
This vulnerability may allow attackers to access sensitive user information, modify other user accounts, and potentially escalate privileges. |
|---|
| Fuente | ⚠️ https://medium.com/@hemantrajbhati5555/insecure-direct-object-reference-idor-in-leave-application-system-php-sqlite3-66af35b8b6ea |
|---|
| Usuario | Hemant Raj Bhati (UID 95613) |
|---|
| Sumisión | 2026-03-16 12:33 (hace 21 días) |
|---|
| Moderación | 2026-04-01 15:18 (16 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 354657 [SourceCodester Leave Application System 1.0 User Information index.php?page=manage_user ID escalada de privilegios] |
|---|
| Puntos | 20 |
|---|