| 제목 | SourceCodester Human Resource Management 1.0 Insecure Direct Object Reference |
|---|
| 설명 | An Insecure Direct Object Reference (IDOR) vulnerability was identified in the Human Resource Management (HRM) application due to improper authorization validation on employee-related endpoints.
The application uses user-controlled identifiers such as `employeeid` and `empid` to access employee records without verifying whether the authenticated user is authorized to access the requested resource.
By manipulating these identifiers, an authenticated attacker can access sensitive information belonging to other employees and administrative accounts, leading to unauthorized disclosure of confidential data.
Affected endpoints include:
* `/detailview.php?employeeid=`
* `/employeeadd.php?empid=`
Successful exploitation allows attackers to:
* Access unauthorized employee records
* Enumerate valid employee identifiers
* View administrative profile information
* Potentially abuse privileged functionality
This issue exists due to missing server-side authorization checks and represents a critical Broken Access Control vulnerability under OWASP Top 10.
|
|---|
| 원천 | ⚠️ https://r4sh7n.medium.com/insecure-direct-object-reference-idor-vulnerability-in-employee-management-functionality-70df8ac5b1d3?postPublishedType=repub |
|---|
| 사용자 | r4sh7n (UID 97600) |
|---|
| 제출 | 2026. 05. 14. PM 04:26 (21 날 ago) |
|---|
| 모더레이션 | 2026. 06. 02. PM 04:01 (19 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 367929 [SourceCodester Human Resource Management 1.0 Employee View Page /detailview.php employeeid 권한 상승] |
|---|
| 포인트들 | 17 |
|---|