Code-Projects Chat System Weak Password Hash Vulnerability in Update User Functionality

A vulnerability exists in Code-Projects Chat System version 1.0, specifically in the user account update feature within the file update_user.php. This vulnerability combines Insecure Direct Object Reference (IDOR), SQL Injection, weak password hashing, and plaintext password storage. The IDOR aspect allows low-privilege users to overwrite any user's account details, including passwords, without authorization. The SQL Injection vulnerability arises from unsanitized user input being directly concatenated into SQL queries, creating two injection points. Additionally, a flaw in the password update logic can lead to passwords being stored in plaintext under certain conditions, while using MD5 hashing without salt, which is weak and easily reversible. This vulnerability can be exploited remotely by authenticated users with a valid session.

Impact

Exploitation of this vulnerability allows for full account takeover of any user, including administrators, by overwriting account details with new information. It also exposes passwords in plaintext under certain conditions, and the use of weak hashing with MD5 without salt enables quick cracking of password hashes using rainbow tables. Furthermore, the SQL Injection vulnerability could be used to lock out all users simultaneously by manipulating the update query.

Reproduction

To reproduce this vulnerability, an authenticated user with low privileges can send a POST request to the update_user.php file. The request must include an arbitrary user ID in the id parameter, along with new values for the name, username, and password. The absence of ownership validation allows the user to overwrite any account's details, including that of an administrator.

Remediation

It is recommended to implement ownership validation, ensuring users can only update their own accounts. Using prepared statements to prevent SQL Injection, adopting strong password hashing methods, and removing the plaintext password storage fallback are also advised. Additionally, adding CSRF token validation, implementing role-based access control, and requiring current password confirmation for sensitive changes can enhance security.