Detronetdip E-commerce IDOR Vulnerability in Product Management Module

A critical Insecure Direct Object Reference (IDOR) vulnerability has been identified in Detronetdip E-commerce version 1.0.0. This vulnerability exists in the Product Management Module, specifically within the Delete and Update functions. The issue arises because the application fails to properly validate ownership of products when the 'id' parameter is manipulated. As a result, authenticated sellers can access and modify products belonging to other sellers. The vulnerability allows for arbitrary deletion and unauthorized changes to product details, such as prices and descriptions. This exploitation could lead to financial fraud, marketplace defacement, and a denial-of-service by deleting products from the catalog.

Impact

Exploitation of this vulnerability allows authenticated sellers to manipulate or delete products from other sellers, leading to potential financial loss, disruption of marketplace integrity, and unauthorized changes to product information.

Reproduction

To reproduce this vulnerability, an authenticated seller can send a POST request to the 'updateproduct.php' script in the Product Management Module. The request must include the 'id' parameter of a product owned by another seller, along with modified details such as the product name, price, and quantity. The absence of an ownership check in the backend code will result in unauthorized access to the targeted product.

Remediation

To address this vulnerability, implement access control by adding ownership verification to the SQL queries in the Product Management Module. Ensure that the 'WHERE' clause includes a check for the currently logged-in seller's ID, preventing unauthorized manipulation of products.