| 제목 | Source Code & Projects PHP N/A Insecure Direct Object Reference |
|---|
| 설명 | In viewdoctortimings.php, the Online Hospital Management System contains an Insecure Direct Object Reference (IDOR) vulnerability that allows a low-privileged user to delete doctor timing records belonging to other doctors. The script processes a delid parameter from the URL to delete a doctor_timings record, but it performs no ownership check to verify that the record actually belongs to the currently authenticated doctor. Additionally, the deletion logic is executed without any session validation, meaning the endpoint may even be reachable by unauthenticated users. |
|---|
| 원천 | ⚠️ https://github.com/Carm3nc1ta/vuln-test/blob/main/Online%20Hospital%20Management%20System%20has%20IDOR%20vulnerability%20in%20viewdoctortimings_php.md |
|---|
| 사용자 | Ever1etY (UID 98199) |
|---|
| 제출 | 2026. 05. 12. PM 08:22 (23 날 ago) |
|---|
| 모더레이션 | 2026. 05. 31. PM 08:06 (19 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 367592 [code-projects Online Hospital Management System 1.0 viewdoctortimings.php delid 권한 상승] |
|---|
| 포인트들 | 20 |
|---|