| Título | code-projects Client Details System V1.0 Insecure Direct Object Reference |
|---|
| Descrição | The application treats “logged in” as sufficient to access admin functionality. There is no role-based access control (RBAC) or per-record scoping.
As shown in the screenshots, user 123456 and the newly created user 78910 both see the same “Client Details” page and navigation. This matches the code where check_login() only verifies session presence.
Admin pages ( admin\clientview.php , admin\manage-users.php ) render to any logged-in session and expose sensitive data and admin actions. |
|---|
| Fonte | ⚠️ https://github.com/hellonewbie/tutorial/issues/11 |
|---|
| Utilizador | LiuJiYing (UID 91591) |
|---|
| Submissão | 13/10/2025 16h01 (há 6 meses) |
|---|
| Moderação | 26/10/2025 17h17 (13 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 329953 [code-projects Client Details System 1.0 Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|