| Название | Source Code & Projects PHP N/A Insecure Direct Object Reference |
|---|
| Описание | In viewdoctortimings.php, the Online Hospital Management System contains an Insecure Direct Object Reference (IDOR) vulnerability that allows a low-privileged user to delete doctor timing records belonging to other doctors. The script processes a delid parameter from the URL to delete a doctor_timings record, but it performs no ownership check to verify that the record actually belongs to the currently authenticated doctor. Additionally, the deletion logic is executed without any session validation, meaning the endpoint may even be reachable by unauthenticated users. |
|---|
| Источник | ⚠️ https://github.com/Carm3nc1ta/vuln-test/blob/main/Online%20Hospital%20Management%20System%20has%20IDOR%20vulnerability%20in%20viewdoctortimings_php.md |
|---|
| Пользователь | Ever1etY (UID 98199) |
|---|
| Представление | 12.05.2026 20:22 (23 дни назад) |
|---|
| Модерация | 31.05.2026 20:06 (19 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 367592 [code-projects Online Hospital Management System 1.0 viewdoctortimings.php delid эскалация привилегий] |
|---|
| Баллы | 20 |
|---|