| 标题 | https://github.com/tutorials-website Employee Management System(EMS Version-1.0) 1.0 broken access control |
|---|
| 描述 | Unprotected Private Functions on Employee Management System v1.0
Download app:
https://github.com/tutorials-website/EMS-MINI-PROJECT
This application is vulnerable to broken access control because an arbitrary user can perform several restricted actions due to unprotected private functions.
Normally, an anonymous user has to log in to use the features of the application. Let's assume the web is deployed in this local URL: http://localhost:8088.
So, when opening the page, the anonymous user will see this login page. Without logging in, the user should be unable to open other pages.
However, the user can execute a restricted function by directly sending this HTTP request.
Approving Leave:
POST | http://localhost:8088/admin/all-applied-leave.php | approved=&comment=jqakozap%0D%0A&id=1
Found by:
BACFuzz Founder
|
|---|
| 来源 | ⚠️ https://drive.google.com/file/d/1N5ApKiYw-yKNhVERr4m3ruooiANgpFRo/view?usp=sharing |
|---|
| 用户 | ary52 (UID 85519) |
|---|
| 提交 | 2025-09-17 13時24分 (7 月前) |
|---|
| 管理 | 2025-09-26 10時30分 (9 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 325969 [Tutorials-Website Employee Management System 直到 611887d8f8375271ce8abc704507d46340837a60 HTTP Request all-applied-leave.php 权限提升] |
|---|
| 积分 | 20 |
|---|