Submeter #844137: RafyMrX TOKO-ONLINE-ROTI latest (2026-05, no formal release) Improper Authenticationinformação

TítuloRafyMrX TOKO-ONLINE-ROTI latest (2026-05, no formal release) Improper Authentication
DescriçãoDescription: TOKO-ONLINE-ROTI contains 8 administrative functions without any authentication check (CWE-306). Affected files in admin/proses/: - del_produk.php (delete products) - edit_inv.php (edit inventory) - edit_produk.php (edit products) - tambah_inv.php (add inventory) - tm_produk.php (add products with file upload) - terima.php (accept customer orders) - tolak.php (reject customer orders) - hapus_inv.php (delete inventory) None of these files check $_SESSION for admin login. Only admin/proses/login.php and logout.php have session checks. An unauthenticated attacker can directly access any of these endpoints to add, edit, or delete products and inventory, and accept or reject customer orders. All these files also contain SQL injection via unsanitized $_GET/$_POST. Exploitation: Delete a product: GET /admin/proses/del_produk.php?kode=xxx Add inventory: POST /admin/proses/tambah_inv.php with arbitrary data Accept any order: GET /admin/proses/terima.php?inv=xxx Countermeasure: Add session authentication check to all admin/proses/ files.
Fonte⚠️ https://github.com/RafyMrX/TOKO-ONLINE-ROTI
Utilizador Dest1ny_1 (UID 98653)
Submissão31/05/2026 10h45 (há 1 mês)
Moderação11/07/2026 13h58 (1 month later)
EstadoAceite
Entrada VulDB377798 [RafyMrX TOKO-ONLINE-ROTI até ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 Autenticação fraca]
Pontos20

Do you want to use VulDB in your project?

Use the official API to access entries easily!