| Title | code-projects Client Details System V1.0 Insecure Direct Object Reference |
|---|
| Description | The application treats “logged in” as sufficient to access admin functionality. There is no role-based access control (RBAC) or per-record scoping.
As shown in the screenshots, user 123456 and the newly created user 78910 both see the same “Client Details” page and navigation. This matches the code where check_login() only verifies session presence.
Admin pages ( admin\clientview.php , admin\manage-users.php ) render to any logged-in session and expose sensitive data and admin actions. |
|---|
| Source | ⚠️ https://github.com/hellonewbie/tutorial/issues/11 |
|---|
| User | LiuJiYing (UID 91591) |
|---|
| Submission | 10/13/2025 16:01 (6 months ago) |
|---|
| Moderation | 10/26/2025 17:17 (13 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 329953 [code-projects Client Details System 1.0 authorization] |
|---|
| Points | 20 |
|---|