Security Vulnerability Report: IDOR — Any User Can Change Any User's Profile Photo
Hello bitsandbots team,
I found an IDOR (Insecure Direct Object Reference) vulnerability in the profile photo upload feature.
Severity
Medium (CVSS 6.5) — CWE-639: Authorization Through User-Controlled Key
Affected File
users/edit_account.php lines 14–26
Vulnerable Code
if (!verify_csrf()) { ... } // CSRF check passes — but only validates session token
if (isset($_POST["submit"])) {
$user_id = (int)$_POST["user_id"]; // ← ATTACKER CONTROLS THIS
$photo = new Media();
$photo->upload($_FILES["file_upload"]);
if ($photo->process_user($user_id)) { // ← Updates ANY user's photo!
Root Cause
The user_id is read from $_POST["user_id"] instead of $_SESSION["user_id"]. The CSRF token check only validates that the request comes from a logged-in session — it does NOT prevent an authenticated attacker from using their own valid CSRF token to update a different user's photo.
Compare with the correct pattern used in the same file for text updates:
$id = (int)$_SESSION["user_id"]; // ← correct, uses session
Proof of Concept
- Attacker logs in as any
ROLE_USER account
- Loads
/users/edit_account.php to obtain their own valid CSRF token
- Submits:
POST /users/edit_account.php
Cookie: PHPSESSID=<attacker_session>
csrf_token=<valid_attacker_csrf>&submit=1&user_id=<victim_id>&file_upload=<image>
- Victim's (including admin's) profile photo is now replaced
Fix
// Replace POST-sourced user_id with session-sourced:
$user_id = (int)$_SESSION["user_id"]; // always use session, never POST
Reported by: Javohir Abdurazzoqov (security researcher)
Since you have Private Vulnerability Reporting enabled, feel free to create a security advisory — I am happy to be credited as the reporter.
Security Vulnerability Report: IDOR — Any User Can Change Any User's Profile Photo
Hello bitsandbots team,
I found an IDOR (Insecure Direct Object Reference) vulnerability in the profile photo upload feature.
Severity
Medium (CVSS 6.5) — CWE-639: Authorization Through User-Controlled Key
Affected File
users/edit_account.phplines 14–26Vulnerable Code
Root Cause
The
user_idis read from$_POST["user_id"]instead of$_SESSION["user_id"]. The CSRF token check only validates that the request comes from a logged-in session — it does NOT prevent an authenticated attacker from using their own valid CSRF token to update a different user's photo.Compare with the correct pattern used in the same file for text updates:
Proof of Concept
ROLE_USERaccount/users/edit_account.phpto obtain their own valid CSRF tokenFix
Reported by: Javohir Abdurazzoqov (security researcher)