提出 #800384: code-projects Chat System Using PHP 1.0 nsecure Direct Object Reference (IDOR) + SQL Injection + Weak Pa情報

タイトル	code-projects Chat System Using PHP 1.0 nsecure Direct Object Reference (IDOR) + SQL Injection + Weak Pa
説明	A chained vulnerability combining Insecure Direct Object Reference (IDOR), SQL Injection, broken password hashing logic, and plaintext password storage was discovered in the user account update functionality of Chat System Using PHP version 1.0, available at code-projects.org. IDOR — Account Takeover via Arbitrary id: The file update_user.php accepts $_POST['id'] as the target user identifier without any ownership validation. An authenticated low-privilege user can supply any id value — including id=1 (administrator) — to overwrite any user's name, username, and password: $id = $_POST['id']; // ← no check: $_POST['id'] == $_SESSION['id'] SQL Injection — Double Injection Points: Both the SELECT (to retrieve the current record) and the UPDATE (to save changes) queries concatenate unsanitized $_POST values directly: $uq = mysqli_query($conn, "select * from `user` where userid='$id'"); // SQLi #1 mysqli_query($conn, "update `user` set uname='$name', username='$username', password='$newpassword' where userid='$id'"); // SQLi #2 Broken Password Logic — Conditional Plaintext Storage: A critical flaw in the password update logic stores the password in plaintext if the submitted value matches the existing database value: if ($password == $uqrow['password']) { $newpassword = $password; // ← plaintext stored unconditionally } else { $newpassword = md5($password); // ← MD5 without salt (weak) } This means: if an attacker obtains a user's current password (via SQLi or session hijacking) and submits it unchanged, the database will now store it in plaintext for future comparisons — degrading security on every subsequent update cycle. MD5 without salt is trivially reversible via precomputed rainbow tables (e.g., CrackStation, hashes.com).
ソース	⚠️ https://gist.github.com/higordiego/84ae7f08f5c23debebf309de3920bda2
ユーザー	c4ttr4ck (UID 75518)
送信	2026年04月08日 23:21 (19 日 ago)
モデレーション	2026年04月26日 11:04 (17 days later)
ステータス	承諾済み
VulDBエントリ	359678 [code-projects Chat System 1.0 MD5 Hash update_user.php パスワード弱い暗号化]
ポイント	20

◂ 前概要次 ▸

Want to know what is going to be exploited?

We predict KEV entries!