| タイトル | SourceCodester Human Resource Management 1.0 Insecure Direct Object Reference |
|---|
| 説明 | An Insecure Direct Object Reference (IDOR) vulnerability was identified in the Human Resource Management (HRM) application due to improper authorization validation on employee-related endpoints.
The application uses user-controlled identifiers such as `employeeid` and `empid` to access employee records without verifying whether the authenticated user is authorized to access the requested resource.
By manipulating these identifiers, an authenticated attacker can access sensitive information belonging to other employees and administrative accounts, leading to unauthorized disclosure of confidential data.
Affected endpoints include:
* `/detailview.php?employeeid=`
* `/employeeadd.php?empid=`
Successful exploitation allows attackers to:
* Access unauthorized employee records
* Enumerate valid employee identifiers
* View administrative profile information
* Potentially abuse privileged functionality
This issue exists due to missing server-side authorization checks and represents a critical Broken Access Control vulnerability under OWASP Top 10.
|
|---|
| ソース | ⚠️ https://r4sh7n.medium.com/insecure-direct-object-reference-idor-vulnerability-in-employee-management-functionality-70df8ac5b1d3?postPublishedType=repub |
|---|
| ユーザー | r4sh7n (UID 97600) |
|---|
| 送信 | 2026年05月14日 16:26 (22 日 ago) |
|---|
| モデレーション | 2026年06月02日 16:01 (19 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 367929 [SourceCodester Human Resource Management 1.0 Employee View Page /detailview.php employeeid 特権昇格] |
|---|
| ポイント | 17 |
|---|