Summary
An Insecure Direct Object Reference (IDOR) vulnerability exists in the SourceCodester Ship/Ferry Ticket Reservation System that allows a low-privileged authenticated user to access and modify arbitrary user account information by manipulating the user identifier parameter.
The application fails to properly validate whether the authenticated user is authorized to access or modify the requested user object. By changing the `id` parameter, a low-privileged user can view and edit other users' account details, including privileged accounts.
This vulnerability may lead to unauthorized account access, privilege abuse, unauthorized profile modification, and compromise of administrative users.
Executive Summary
The application improperly enforces object-level authorization in the user management functionality.
A low-privileged authenticated user can manipulate the `id` parameter to access other users' profile information and modify account details without authorization. Since ownership validation is missing, the application exposes sensitive user objects to unauthorized users.
This issue introduces an object-level access control vulnerability that may allow attackers to tamper with arbitrary user accounts.
Scope
**Application Name:** Ship/Ferry Ticket Reservation System — PHP **Vendor:** SourceCodester **Affected Component:** User Management **Vulnerability Type:** Insecure Direct Object Reference (IDOR)
Methodology
The vulnerability was identified through manual authenticated security testing using a low-privileged account.
Object-level authorization controls were tested by modifying the `id` parameter in user management functionality and observing whether unauthorized objects could be accessed or modified.
The following methodology was used:
- Authentication as a low-privileged user - Parameter manipulation testing - Direct object reference validation - Authorization bypass verification - Unauthorized object modification testing
Detailed Findings
Vulnerability Name
**Insecure Direct Object Reference (IDOR)**
Description
The application fails to properly validate authorization for object-level access in the user management functionality.
A low-privileged authenticated user can manipulate the `id` parameter to access arbitrary user profiles and modify account information belonging to other users.
The application does not validate whether the authenticated user owns or has permission to access the requested object.
Vulnerable Endpoint
```http GET /admin/?page=user/manage_user&id=<user_id> ```
Steps to Reproduce
- Authenticate into the application using a low-privileged (normal/staff) account.
2. Navigate to the following endpoint:
GET /admin/?page=user/manage_user&id=1
3. Observe the profile information of admin is accessible.
4. Modify the `id` parameter:
GET /admin/?page=user/manage_user&id=2
5. Observe that another user's account details become accessible.
6. Attempt to modify user details and save the changes.
7. Observe that unauthorized modifications to arbitrary user accounts are permitted.
Proof of Concept
A low-privileged authenticated user was able to:
- Access arbitrary user account information - View sensitive user details - Modify account information of other users - Access privileged user profiles by manipulating object identifiers
The application failed to implement proper object-level authorization checks, allowing unrestricted access to user objects.
Risk Scoring
**Severity:** Medium
**CVSS v3.1 Base Score:** 6.5 (Medium)
**CWE:** CWE-639 — Authorization Bypass Through User-Controlled Key
Impact
Successful exploitation of this vulnerability may allow an attacker to:
- Access arbitrary user account information - Modify other users' profile data - Tamper with privileged accounts - Abuse user privileges - Compromise account integrity
This may result in unauthorized account manipulation and privilege abuse within the application.
Remediation Summary
The application should enforce proper object-level authorization checks for all user-related functionality.
Before granting access to a user object, the server must validate whether the authenticated user has permission to access or modify the requested resource.
Recommended mitigations include:
- Implement ownership validation - Enforce server-side authorization checks - Restrict access to authorized resources only - Validate object permissions on every request - Avoid trusting user-controlled identifiers
Appendix
**Vulnerability Category:** Broken Access Control / IDOR **CWE Reference:** CWE-639 — Authorization Bypass Through User-Controlled Key **Authentication Required:** Yes **Privileges Required:** Low **Attack Vector:** Network **Security Risk:** Medium
Author
Security Researcher : Hemant Raj Bhati Category : Web Application Security