# Vulnerability Summary ## Overview - **Vulnerability ID**: #800384 - **Vulnerability Types**: - Insecure Direct Object Reference (IDOR) - SQL Injection - Weak Password Hashing Logic - **Affected System**: Chat System Using PHP 1.0 - **Description**: - A chained vulnerability was discovered in the user account update feature, including Insecure Direct Object Reference (IDOR), SQL injection, insecure password hashing logic, and plain text storage. ## Impact Scope - **IDOR**: The file `update_user.php` accepts `$_POST[id]` as the target user identifier without any ownership verification. An authenticated low-privileged user can submit any ID value (including ID=1 [admin]) to overwrite any user’s name, username, and password. - **SQL Injection**: Two double injection points: the `SELECT` (retrieve current record) and `UPDATE` (save changes) queries concatenate unvalidated `$_POST` values. - **Weak Password Hashing Logic**: A critical flaw exists in the password update logic—if the submitted value matches the existing database value, the password is stored in plain text. ## Remediation - **IDOR**: Add ownership validation to ensure users can only update their own account information. - **SQL Injection**: Use parameterized queries or prepared statements to prevent SQL injection. - **Weak Password Hashing Logic**: Use a strong hashing algorithm (e.g., bcrypt) for password storage, avoiding plain text storage. ## POC Code ```php $id = $_POST['id']; // no check: $_POST['id'] = $_SESSION['id']; $sql = mysql_query($conn, "select * from user where userid='$id';"); // SQLi #1 mysql_query($conn, "update user set uname='$name', username='$username', password='$newpassword' where userid='$id';"); // SQLi #2 if ($password == $row['password']) { $newpassword = $password; // plaintext stored unconditionally } else { $newpassword = md5($password); // no MD5 without salt (weak) } ```