# Vulnerability Summary ## Overview **Title**: Fix IDOR in link management endpoints #975 **Type**: Insecure Direct Object Reference (IDOR) **Status**: Open (Pending Fix) **Reporter**: az10b **Time**: 3 weeks ago ## Impact Scope - Three link management endpoints accept user-supplied link IDs but do not verify that the authenticated user owns the specified link. - Allows any registered user to modify other users' links. - Affected endpoints: - `POST /studio/edit-link` (saveLink) - `POST /studio/sort-link` (sortLinks) - `GET /clearIcon/{id}` ## Remediation 1. **saveLink**: Add an ownership check; abort and return a 403 if the link belongs to another user. 2. **sortLinks**: Add `user_id` to the `WHERE` clause so that updates only affect links belonging to the authenticated user. 3. **clearIcon**: Add a `link-id` middleware to the route. ## POC Code ```javascript fetch('/studio/edit-link', { method: 'POST', headers: { 'Content-Type': 'application/x-www-form-urlencoded', 'X-CSRF-TOKEN': document.querySelector('meta[name="csrf-token"]').content }, body: new URLSearchParams({ linkId: '+USER_B_LINK_ID+', link: 'https://evil-site.com', title: 'Modified', type: 'link', button: 'custom_website' }) }).then(r => console.log('Status:', r.status)) ``` **Expected Result**: Returns 403 Forbidden before the fix; the link is overwritten after the fix.