Hi All,
I am Maloy Roy Orko
Recently in one of my pentest research, I found a Employee Management System application By tutorials-website which is an open source Employee Management System Software to manage users of a company or organization.
Curious to explore its functionalities, I downloaded and set it up in my local system.
After fiddling with the source code, I found that the delete-user.php file is vulnerable to IDOR !
It can lead into:
- - Unauthorized Data Access
- - Data Manipulation
- - Account Takeover
- - Privilege Escalation
- - Denial of Service (DoS)
- - Reputation Damage
- - Regulatory Consequences
The Main Thing Is,If any NON-IT personal uses this template,he will fall into this vulnerability and his companies reputation can be lost too.Thats why I am trying to inform everyone about this.
Title of the Vulnerability:
Tutorials-website | Employee Management System(EMS Version-1.0) | delete-user.php | IDOR
Vulnerability Class: Insecure Direct Object Reference (IDOR)
Product Name: Employee Management System(EMS Version-1.0)
Vendor: https://github.com/tutorials-website
Vulnerable Product Link: https://github.com/tutorials-website/EMS-MINI-PROJECT
Technical Details & Description: The application source code is coded in a way which allows : Insecure Direct Object Reference.
It can lead into:
- - Unauthorized Data Access
- - Data Manipulation
- - Account Takeover
- - Privilege Escalation
- - Denial of Service (DoS)
- - Reputation Damage
- - Regulatory Consequences
Product & Service Introduction:
Employee Management System(EMS Version-1.0)
Observation & Exploitation:
Here,The Vulnerable File Is: delete-user.php/
Who will be affected of this IDOR attack?
->The Administrator and Other Users! Because they will not be able to access their account and see their tasks and their employee verification informations and even their leave verification datas as their account will be deleted without the interaction of Administrators but by the unauthorized hackers!
Lets Exploit 🌠🗝️🔐:
First,Go To delete-user.php/
You will see that no administrator access is needed no access this endpoint! We will need the parameter value only!
Example:
http://192.168.0.100:8080/ems2/admin/delete-user.php?id=9
Now,Input any employee account parameter ID to delete his company account!
Here,I will delete the Company Account of Mukesh
As you can see that,ID of Mukesh is 8!
So,The Payload Will be Like This:
http://192.168.0.100:8080/ems2/admin/delete-user.php?id=8
Consequences & Impact:
Just hit this url in the browser and the account of mukesh will be deleted and thus you can delete even the Admins and they will lost access of the company system!
See The Image: Account Of Mukesh Has Been Deleted !
Conclusion :-
The main aim of this article is to show that if any NON-IT personal uses this template,he will fall into this vulnerability and his companies reputation can be lost too. But I also hope that it helps to give you ideas of how combining attacks can make them much more potent.