Employee Performance Evaluation System version 1.0 suffers from an insecure direct object reference vulnerability.
c7f4bc95e0f9623845d5e474ff17c55e
# Exploit Title: Employee Performance Evaluation System 1.0 - Able to delete Admin user from Local account Unauthenticated Insecure Direct Object Reference (IDOR)
# Date: 09/12/2020
# Exploit Author: Manish Solanki
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14617/employee-performance-evaluation-system-phpmysqli-source-code.html
# Version: 1.0
# Tested on: Windows 10/Kali Linux
# PoC: https://drive.google.com/file/d/1LWU05ocapuoIL1nfqCF8DRu_T2gB-3sQ/view
Steps to Reproduce:
1) Login with Admin Credentials (Email: [email protected] Password: admin123)
2) Create Local Employee Account
3) Log Out from Admin Account
4) Now login Local Employee Account
5) Change url to ?page=user_list. Now I am able to delete / change admin user
http://localhost/epes/index.php?page=user_list
6) Now able to access admin privileges account and able to perform edit or delete operation from local account.