PHPGURUKUL Online Shopping Portal IDOR Vulnerability in Track Order Function

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the Track Order feature of PHPGURUKUL Online Shopping Portal version 2.1. This vulnerability allows unauthorized access to order details by manipulating the 'oid' parameter, leading to the disclosure of sensitive customer information such as personal data, order specifics, and transaction history.

Impact

Exploitation of this vulnerability allows unauthorized users to access and disclose sensitive order information of other users, potentially leading to privacy violations and misuse of personal data.

Reproduction

To reproduce this vulnerability, log in as a legitimate user and place an order. Then, navigate to the order history page and click the track button for the purchased item. Copy the URL and modify the 'oid' parameter value to access order details of other users.

Remediation

To address this vulnerability, implement proper authorization checks to ensure users can only access their own orders. Consider using indirect object references, validate user ownership before displaying sensitive data, and enforce access control principles.