| Titre | RafyMrX TOKO-ONLINE-ROTI latest (2026-05, no formal release) Improper Authentication |
|---|
| Description | Description:
TOKO-ONLINE-ROTI contains 8 administrative functions without any
authentication check (CWE-306).
Affected files in admin/proses/:
- del_produk.php (delete products)
- edit_inv.php (edit inventory)
- edit_produk.php (edit products)
- tambah_inv.php (add inventory)
- tm_produk.php (add products with file upload)
- terima.php (accept customer orders)
- tolak.php (reject customer orders)
- hapus_inv.php (delete inventory)
None of these files check $_SESSION for admin login. Only admin/proses/login.php
and logout.php have session checks. An unauthenticated attacker can directly
access any of these endpoints to add, edit, or delete products and inventory,
and accept or reject customer orders.
All these files also contain SQL injection via unsanitized $_GET/$_POST.
Exploitation:
Delete a product: GET /admin/proses/del_produk.php?kode=xxx
Add inventory: POST /admin/proses/tambah_inv.php with arbitrary data
Accept any order: GET /admin/proses/terima.php?inv=xxx
Countermeasure:
Add session authentication check to all admin/proses/ files. |
|---|
| La source | ⚠️ https://github.com/RafyMrX/TOKO-ONLINE-ROTI |
|---|
| Utilisateur | Dest1ny_1 (UID 98653) |
|---|
| Soumission | 31/05/2026 10:45 (il y a 1 mois) |
|---|
| Modérer | 11/07/2026 13:58 (1 month later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 377798 [RafyMrX TOKO-ONLINE-ROTI authentification faible] |
|---|
| Points | 20 |
|---|