Skip to content

[Security] IDOR: Any Authenticated User Can Change Any User's Profile Photo #55

Description

Security Vulnerability Report: IDOR — Any User Can Change Any User's Profile Photo

Hello bitsandbots team,

I found an IDOR (Insecure Direct Object Reference) vulnerability in the profile photo upload feature.

Severity

Medium (CVSS 6.5) — CWE-639: Authorization Through User-Controlled Key

Affected File

users/edit_account.php lines 14–26

Vulnerable Code

if (!verify_csrf()) { ... }   // CSRF check passes — but only validates session token
if (isset($_POST["submit"])) {
    $user_id = (int)$_POST["user_id"];   // ← ATTACKER CONTROLS THIS
    $photo = new Media();
    $photo->upload($_FILES["file_upload"]);
    if ($photo->process_user($user_id)) {   // ← Updates ANY user's photo!

Root Cause

The user_id is read from $_POST["user_id"] instead of $_SESSION["user_id"]. The CSRF token check only validates that the request comes from a logged-in session — it does NOT prevent an authenticated attacker from using their own valid CSRF token to update a different user's photo.

Compare with the correct pattern used in the same file for text updates:

$id = (int)$_SESSION["user_id"];  // ← correct, uses session

Proof of Concept

  1. Attacker logs in as any ROLE_USER account
  2. Loads /users/edit_account.php to obtain their own valid CSRF token
  3. Submits:
POST /users/edit_account.php
Cookie: PHPSESSID=<attacker_session>

csrf_token=<valid_attacker_csrf>&submit=1&user_id=<victim_id>&file_upload=<image>
  1. Victim's (including admin's) profile photo is now replaced

Fix

// Replace POST-sourced user_id with session-sourced:
$user_id = (int)$_SESSION["user_id"];   // always use session, never POST

Reported by: Javohir Abdurazzoqov (security researcher)

Since you have Private Vulnerability Reporting enabled, feel free to create a security advisory — I am happy to be credited as the reporter.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions