| 제목 | code-projects Contact Management System in PHP unknown Authentication Bypass Issues |
|---|
| 설명 | Description:
The Contact Management System contains a complete lack of authentication and authorization controls for its CRUD endpoints. The application’s core write and delete operations (notably `create.php`, `update.php`, and `delete.php`) execute database changes without verifying the caller’s identity or permissions, and the web UI exposes destructive actions (e.g. deletion) via unauthenticated GET links (`delete.php?id=<id>`). As a result, any remote unauthenticated user can create, modify, or delete contacts and view the full contacts listing.
Affected components:
- `create.php` — unauthenticated creation of contacts via POST
- `update.php` — unauthenticated modification via POST
- `delete.php` — unauthenticated deletion via GET (no CSRF protection)
- `index.php`, `edit.php` — display and edit interfaces that assume authenticated use
Reproduction (example):
1. Visit `http://<host>/index.php` to view contacts (no authentication required).
2. Submit a POST to `http://<host>/create.php` with form fields (first, last, phone, etc.) to create a new record — request succeeds without credentials.
3. Trigger deletion by visiting `http://<host>/delete.php?id=1` — record is deleted without authentication or CSRF token.
4. Submit a POST to `http://<host>/update.php` with `id` and updated fields — modification succeeds without authentication.
Impact:
- Complete unauthorized access to application data (read/write/delete).
- Data integrity compromise, data loss, and business disruption.
- Attackers can combine this with XSS/CSRF to escalate impact (session theft, persistent backdoors).
- Exposure of sensitive data if database credentials (in source) are leaked.
References / Evidence:
- Review `create.php`, `update.php`, and `delete.php` in the application source; `delete.php` uses `$_GET['id']` and executes delete without checks. |
|---|
| 사용자 | imcoming (UID 95032) |
|---|
| 제출 | 2026. 01. 30. AM 11:37 (3 개월 ago) |
|---|
| 모더레이션 | 2026. 02. 07. PM 03:57 (8 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 344875 [code-projects Contact Management System 1.0 CRUD Endpoint 아이디 약한 인증] |
|---|
| 포인트들 | 17 |
|---|