Tutorials-Website Employee Management System delete-user.php improper authorization

Vulnerability

An insecure direct object reference (IDOR) vulnerability exists in the /admin/delete-user.php file of Tutorials-Website Employee Management System 1.0. The application fails to verify that the requesting user is authorized to delete the account identified by the ID parameter. This allows any remote attacker to delete any user account, including administrator accounts, by simply supplying the target user's ID. The vulnerability is classified as critical and affects all installations of version 1.0 [1].

Exploitation

An attacker can exploit this vulnerability remotely without requiring authentication or any prior privileges. The exploitation steps are: access the /admin/delete-user.php endpoint and supply the ID parameter with the numeric identifier of the target user. The server processes the request and deletes the user account without any authorization check. The exploit has been publicly disclosed, increasing the risk of active attacks [1].

Impact

Successful exploitation allows an attacker to delete any user account in the system, including administrators. This leads to unauthorized data access, data manipulation, account takeover, privilege escalation, and denial of service (DoS) as legitimate users lose access to their accounts and associated data. The organization may suffer reputational damage and regulatory consequences [1].

Mitigation

As of the publication date, the vendor has not responded to the disclosure and no official patch or fixed version has been released. Users of Employee Management System 1.0 should immediately restrict access to the /admin/delete-user.php file via web server configuration (e.g., .htaccess or firewall rules) and implement proper authorization checks in the application code. Until a fix is available, the system remains vulnerable to exploitation [1].