| Titre | Source Code & Projects PHP N/A Insecure Direct Object Reference |
|---|
| Description | In viewdoctortimings.php, the Online Hospital Management System contains an Insecure Direct Object Reference (IDOR) vulnerability that allows a low-privileged user to delete doctor timing records belonging to other doctors. The script processes a delid parameter from the URL to delete a doctor_timings record, but it performs no ownership check to verify that the record actually belongs to the currently authenticated doctor. Additionally, the deletion logic is executed without any session validation, meaning the endpoint may even be reachable by unauthenticated users. |
|---|
| La source | ⚠️ https://github.com/Carm3nc1ta/vuln-test/blob/main/Online%20Hospital%20Management%20System%20has%20IDOR%20vulnerability%20in%20viewdoctortimings_php.md |
|---|
| Utilisateur | Ever1etY (UID 98199) |
|---|
| Soumission | 12/05/2026 20:22 (il y a 23 jours) |
|---|
| Modérer | 31/05/2026 20:06 (19 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 367592 [code-projects Online Hospital Management System 1.0 viewdoctortimings.php delid élévation de privilèges] |
|---|
| Points | 20 |
|---|