Code-Projects Invoice System in Laravel Insecure Direct Object Reference Vulnerability

A vulnerability exists in Code-Projects Invoice System version 1.0, specifically within the Profile Handler component. The issue arises from an improper authorization check in the profile workflow, which uses a user-controlled ID in the route. This flaw allows remote attackers to view or modify any user's profile data by manipulating the ID in the URL. The vulnerability has been publicly disclosed and is currently unpatched.

Impact

Exploitation of this vulnerability allows unauthorized access to private profile information of other users, arbitrary modification of any user's email, name, and settings, and could lead to account takeover by bypassing account recovery mechanisms.

Reproduction

To reproduce this vulnerability, send a POST request to the '/profile/{id}' endpoint, replacing '{id}' with the ID of the profile to be accessed or modified. Include the desired changes in the request body, such as a new name or email address. The server will process the request without verifying if the authenticated user has permission to modify the specified profile.

Remediation

It is recommended to bind profile actions to the authenticated user and implement authorization policies to ensure that users can only access their own profiles. Additionally, using non-sequential identifiers can help prevent easy enumeration of user profiles.