| Title | code-projects Chat System Using PHP 1.0 nsecure Direct Object Reference (IDOR) + SQL Injection + Weak Pa |
|---|
| Description | A chained vulnerability combining Insecure Direct Object Reference (IDOR), SQL Injection, broken password hashing logic, and plaintext password storage was discovered in the user account update functionality of Chat System Using PHP version 1.0, available at code-projects.org.
IDOR — Account Takeover via Arbitrary id: The file update_user.php accepts $_POST['id'] as the target user identifier without any ownership validation. An authenticated low-privilege user can supply any id value — including id=1 (administrator) — to overwrite any user's name, username, and password:
$id = $_POST['id']; // ← no check: $_POST['id'] == $_SESSION['id']
SQL Injection — Double Injection Points: Both the SELECT (to retrieve the current record) and the UPDATE (to save changes) queries concatenate unsanitized $_POST values directly:
$uq = mysqli_query($conn, "select * from `user` where userid='$id'"); // SQLi #1
mysqli_query($conn, "update `user` set uname='$name', username='$username', password='$newpassword' where userid='$id'"); // SQLi #2
Broken Password Logic — Conditional Plaintext Storage: A critical flaw in the password update logic stores the password in plaintext if the submitted value matches the existing database value:
if ($password == $uqrow['password']) {
$newpassword = $password; // ← plaintext stored unconditionally
} else {
$newpassword = md5($password); // ← MD5 without salt (weak)
}
This means: if an attacker obtains a user's current password (via SQLi or session hijacking) and submits it unchanged, the database will now store it in plaintext for future comparisons — degrading security on every subsequent update cycle.
MD5 without salt is trivially reversible via precomputed rainbow tables (e.g., CrackStation, hashes.com). |
|---|
| Source | ⚠️ https://gist.github.com/higordiego/84ae7f08f5c23debebf309de3920bda2 |
|---|
| User | c4ttr4ck (UID 75518) |
|---|
| Submission | 04/08/2026 23:21 (19 days ago) |
|---|
| Moderation | 04/26/2026 11:04 (17 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 359678 [code-projects Chat System 1.0 MD5 Hash update_user.php Password weak hash] |
|---|
| Points | 20 |
|---|