Security: Systemic SQL injection + IDOR across all AJAX endpoints #35
Description
Summary
Multiple critical security vulnerabilities across all php_action/ endpoints:
1. SQL Injection on Every Endpoint (Critical)
All AJAX handlers use string concatenation in SQL queries with unsanitized POST data.
Examples:
editUser.php:13:"UPDATE users SET username = '$edituserName' ... WHERE user_id = $userid"changePassword.php:14:"SELECT * FROM users WHERE user_id = {$userId}"removeUser.php:12:"DELETE FROM users WHERE user_id = {$userid}"createUser.php:14:"INSERT INTO users (username, password, email) VALUES ('$userName', ...)"
Fix: Use prepared statements with parameterized queries.
2. IDOR on User Management (Critical)
editUser.php, changePassword.php, removeUser.php all accept user_id/userid from POST data without verifying the current session user has permission to modify that user. Any authenticated user can:
- Change any user's password (
changePassword.php:12,22) - Overwrite any user's credentials (
editUser.php:10,13) - Delete any user (
removeUser.php:8,12)
3. No Role/Permission System
core.php only checks $_SESSION['userId'] exists. No admin vs regular user distinction. All authenticated users have full access to all operations including user management.
4. MD5 Password Hashing
Passwords hashed with md5() which is cryptographically broken. Use password_hash() with PASSWORD_BCRYPT.
Recommendation
- Switch all queries to prepared statements (mysqli_prepare/bind_param)
- Add role-based access control (admin vs user)
- Verify session user matches target user_id on user operations
- Replace md5() with password_hash()/password_verify()
Found via static analysis by lighthousekeeper1212