| tiêu đề | Source Code & Projects PHP N/A Insecure Direct Object Reference |
|---|
| Mô tả | In viewdoctortimings.php, the Online Hospital Management System contains an Insecure Direct Object Reference (IDOR) vulnerability that allows a low-privileged user to delete doctor timing records belonging to other doctors. The script processes a delid parameter from the URL to delete a doctor_timings record, but it performs no ownership check to verify that the record actually belongs to the currently authenticated doctor. Additionally, the deletion logic is executed without any session validation, meaning the endpoint may even be reachable by unauthenticated users. |
|---|
| Nguồn | ⚠️ https://github.com/Carm3nc1ta/vuln-test/blob/main/Online%20Hospital%20Management%20System%20has%20IDOR%20vulnerability%20in%20viewdoctortimings_php.md |
|---|
| Người dùng | Ever1etY (UID 98199) |
|---|
| Đệ trình | 12/05/2026 20:22 (cách đây 24 ngày) |
|---|
| Kiểm duyệt | 31/05/2026 20:06 (19 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 367592 [code-projects Online Hospital Management System 1.0 viewdoctortimings.php delid nâng cao đặc quyền] |
|---|
| điểm | 20 |
|---|