| タイトル | code-projects Client Details System V1.0 Insecure Direct Object Reference |
|---|
| 説明 | The application treats “logged in” as sufficient to access admin functionality. There is no role-based access control (RBAC) or per-record scoping.
As shown in the screenshots, user 123456 and the newly created user 78910 both see the same “Client Details” page and navigation. This matches the code where check_login() only verifies session presence.
Admin pages ( admin\clientview.php , admin\manage-users.php ) render to any logged-in session and expose sensitive data and admin actions. |
|---|
| ソース | ⚠️ https://github.com/hellonewbie/tutorial/issues/11 |
|---|
| ユーザー | LiuJiYing (UID 91591) |
|---|
| 送信 | 2025年10月13日 16:01 (6 月 ago) |
|---|
| モデレーション | 2025年10月26日 17:17 (13 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 329953 [code-projects Client Details System 1.0 特権昇格] |
|---|
| ポイント | 20 |
|---|