SourceCodester Human Resource Management Insecure Direct Object Reference Vulnerability

An Insecure Direct Object Reference (IDOR) vulnerability has been identified in SourceCodester Human Resource Management version 1.0. The issue resides in the Employee View Page component, specifically within the detailview.php file. The vulnerability allows authenticated users to manipulate the employeeid parameter to access unauthorized employee records, including sensitive information from other users and administrative accounts. This lack of proper authorization checks could lead to unauthorized disclosure of confidential employee data and facilitate privilege escalation within the application.

Impact

Exploitation of this vulnerability allows access to confidential employee information, including names, email addresses, contact details, and roles. It also enables unauthorized access to administrative records and profiles, potentially leading to privilege escalation by abusing administrative functionalities.

Reproduction

To reproduce this vulnerability, authenticate to the HRM application with a valid employee account. Then, navigate to the detailview.php endpoint and modify the employeeid parameter to access records of other employees or administrative users. This can also be done with the employeeadd.php endpoint by changing the empid parameter.

Remediation

It is recommended to enforce strict server-side authorization checks, validate resource access permissions, avoid exposing predictable identifiers, implement role-based access control, and monitor unauthorized access attempts.