| 标题 | code-projects Contact Management System in PHP unknown Authentication Bypass Issues |
|---|
| 描述 | Description:
The Contact Management System contains a complete lack of authentication and authorization controls for its CRUD endpoints. The application’s core write and delete operations (notably `create.php`, `update.php`, and `delete.php`) execute database changes without verifying the caller’s identity or permissions, and the web UI exposes destructive actions (e.g. deletion) via unauthenticated GET links (`delete.php?id=<id>`). As a result, any remote unauthenticated user can create, modify, or delete contacts and view the full contacts listing.
Affected components:
- `create.php` — unauthenticated creation of contacts via POST
- `update.php` — unauthenticated modification via POST
- `delete.php` — unauthenticated deletion via GET (no CSRF protection)
- `index.php`, `edit.php` — display and edit interfaces that assume authenticated use
Reproduction (example):
1. Visit `http://<host>/index.php` to view contacts (no authentication required).
2. Submit a POST to `http://<host>/create.php` with form fields (first, last, phone, etc.) to create a new record — request succeeds without credentials.
3. Trigger deletion by visiting `http://<host>/delete.php?id=1` — record is deleted without authentication or CSRF token.
4. Submit a POST to `http://<host>/update.php` with `id` and updated fields — modification succeeds without authentication.
Impact:
- Complete unauthorized access to application data (read/write/delete).
- Data integrity compromise, data loss, and business disruption.
- Attackers can combine this with XSS/CSRF to escalate impact (session theft, persistent backdoors).
- Exposure of sensitive data if database credentials (in source) are leaked.
References / Evidence:
- Review `create.php`, `update.php`, and `delete.php` in the application source; `delete.php` uses `$_GET['id']` and executes delete without checks. |
|---|
| 用户 | imcoming (UID 95032) |
|---|
| 提交 | 2026-01-30 11時37分 (3 月前) |
|---|
| 管理 | 2026-02-07 15時57分 (8 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 344875 [code-projects Contact Management System 1.0 CRUD Endpoint 标识符 弱身份验证] |
|---|
| 积分 | 17 |
|---|