Skip to content

Client Details System V1.0 Insecure Direct Object Reference (IDOR) #11

New issue
New issue
Open
Open
Client Details System V1.0 Insecure Direct Object Reference (IDOR)#11
@hellonewbie

Description

@hellonewbie
hellonewbie
opened on Oct 13, 2025

NAME OF AFFECTED PRODUCT(S)

  • Client Details System

Vendor Homepage

AFFECTED AND/OR FIXED VERSION(S)

submitter

  • LiuJiying

VERSION(S)

  • V1.0

Software Link

PROBLEM TYPE

Vulnerability Type

  • Broken Access Control (Vertical Privilege Escalation)
  • Insecure Direct Object Reference (IDOR) on destructive actions
  • Sensitive Information Exposure (plaintext passwords in user listing)

Root Cause

  • Authorization checks only verify that $_SESSION['login'] is non-empty and do not enforce roles or permissions.
  • Both admin and non-admin pages include the same weak guard: include("checklogin.php"); check_login(); which merely redirects unauthenticated users.
  • Data queries are unscoped: pages fetch and render all records to any logged-in user.
  • Destructive operations are triggered via GET parameters without role checks or CSRF protection.

Impact

  • Any authenticated user (e.g., the newly created user 78910 ) can view and modify “Client Details” and “Manage Users” pages intended for admins.
  • Full exposure of client PII (names, emails, phone numbers), and of users’ plaintext passwords.
  • Unauthorized deletion or modification of records via crafted URLs.
  • Practical vertical privilege escalation: regular users operate with admin-level visibility and actions.

DESCRIPTION

  • The application treats “logged in” as sufficient to access admin functionality. There is no role-based access control (RBAC) or per-record scoping.
  • As shown in the screenshots, user 123456 and the newly created user 78910 both see the same “Client Details” page and navigation. This matches the code where check_login() only verifies session presence.
  • Admin pages ( admin\clientview.php , admin\manage-users.php ) render to any logged-in session and expose sensitive data and admin actions.

Vulnerability details and POC

Vulnerability type:

  • Broken Access Control (Vertical Privilege Escalation)
  • Insecure Direct Object Reference (IDOR) on destructive actions
  • Sensitive Information Exposure (plaintext passwords in user listing)

Payload:

Image Image

Attack results

Image Image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions