Submeter #749262: code-projects Contact Management System in PHP unknown Authentication Bypass Issuesinformação

Títulocode-projects Contact Management System in PHP unknown Authentication Bypass Issues
DescriçãoDescription: The Contact Management System contains a complete lack of authentication and authorization controls for its CRUD endpoints. The application’s core write and delete operations (notably `create.php`, `update.php`, and `delete.php`) execute database changes without verifying the caller’s identity or permissions, and the web UI exposes destructive actions (e.g. deletion) via unauthenticated GET links (`delete.php?id=<id>`). As a result, any remote unauthenticated user can create, modify, or delete contacts and view the full contacts listing. Affected components: - `create.php` — unauthenticated creation of contacts via POST - `update.php` — unauthenticated modification via POST - `delete.php` — unauthenticated deletion via GET (no CSRF protection) - `index.php`, `edit.php` — display and edit interfaces that assume authenticated use Reproduction (example): 1. Visit `http://<host>/index.php` to view contacts (no authentication required). 2. Submit a POST to `http://<host>/create.php` with form fields (first, last, phone, etc.) to create a new record — request succeeds without credentials. 3. Trigger deletion by visiting `http://<host>/delete.php?id=1` — record is deleted without authentication or CSRF token. 4. Submit a POST to `http://<host>/update.php` with `id` and updated fields — modification succeeds without authentication. Impact: - Complete unauthorized access to application data (read/write/delete). - Data integrity compromise, data loss, and business disruption. - Attackers can combine this with XSS/CSRF to escalate impact (session theft, persistent backdoors). - Exposure of sensitive data if database credentials (in source) are leaked. References / Evidence: - Review `create.php`, `update.php`, and `delete.php` in the application source; `delete.php` uses `$_GET['id']` and executes delete without checks.
Utilizador
 imcoming (UID 95032)
Submissão30/01/2026 11h37 (há 3 meses)
Moderação07/02/2026 15h57 (8 days later)
EstadoAceite
Entrada VulDB344875 [code-projects Contact Management System 1.0 CRUD Endpoint ID Autenticação fraca]
Pontos17

VoltarVisão GeralPróximo

Do you know our Splunk app?

Download it now for free!