SourceCodester Leave Application System Insecure Direct Object Reference Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in SourceCodester Leave Application System version 1.0, which uses PHP and SQLite3. The issue resides in the user management feature, specifically within the file '/index.php?page=manage_user'. The vulnerability allows authenticated users to bypass authorization by manipulating the 'id' parameter in the URL. This exploitation can be done remotely and is associated with improper authorization, as the application fails to validate whether a user has the right to access or modify another user's information.

Impact

Exploitation of this vulnerability could lead to unauthorized access to and modification of other users' accounts, with the potential to escalate privileges and take over administrator accounts.

Reproduction

To reproduce this vulnerability, log into the application and navigate to the User Management section. Then, modify the 'id' parameter in the URL to access different user profiles without any authorization checks.