Employee Performance Evaluation System 1.0 Insecure Direct Object Reference

2020.12.09

Credit: Manish Solanki

Risk: High

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

# Exploit Title: Employee Performance Evaluation System 1.0 - Able to delete Admin user from Local account Unauthenticated Insecure Direct Object Reference (IDOR)
# Date: 09/12/2020
# Exploit Author: Manish Solanki
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14617/employee-performance-evaluation-system-phpmysqli-source-code.html
# Version: 1.0
# Tested on: Windows 10/Kali Linux
# PoC: https://drive.google.com/file/d/1LWU05ocapuoIL1nfqCF8DRu_T2gB-3sQ/view
Steps to Reproduce:
1) Login with Admin Credentials (Email: admin@admin.com Password: admin123)
2) Create Local Employee Account
3) Log Out from Admin Account
4) Now login Local Employee Account
5) Change url to ?page=user_list. Now I am able to delete / change admin user
http://localhost/epes/index.php?page=user_list
6) Now able to access admin privileges account and able to perform edit or delete operation from local account.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Employee Performance Evaluation System 1.0 Insecure Direct Object Reference

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.