CVE-2026-10299

An attacker can exploit this Insecure Direct Object Reference (IDOR) vulnerability by manipulating the `delid` parameter in the URL of the `viewdoctortimings.php` script [ref_id=1]. This allows a user, even one with low privileges or potentially unauthenticated, to delete doctor timing records belonging to other doctors [ref_id=1]. The script lacks ownership checks and session validation, enabling the deletion of arbitrary records by guessing or enumerating the `delid` value [ref_id=1].

The vulnerability exists in the `viewdoctortimings.php` script, specifically in the code block that processes the `delid` GET parameter to delete records from the `doctor_timings` table [ref_id=1]. The code directly uses the `$_GET[delid]` value in a DELETE SQL statement without verifying the session or ownership of the record [ref_id=1].

The advisory recommends adding server-side ownership verification before executing the deletion query [ref_id=1]. This involves checking if the `doctorid` associated with the `doctor_timings_id` matches the currently logged-in user's session ID [ref_id=1]. Additionally, it suggests enforcing authentication on sensitive pages and using POST requests for state-changing operations like deletion to mitigate this vulnerability [ref_id=1].

1. Log in with a legitimate doctor account (e.g., doctorid=5). 2. Navigate to `viewdoctortimings.php`. 3. Intercept the request using a proxy like Burp Suite when clicking the delete button for a record. 4. Record the `delid` value for that record. 5. Log in with a different doctor account (account2). 6. Change the `delid` value in the intercepted request to the value recorded in step 4. 7. Forward the modified request. 8. Verify that the record belonging to the first doctor has been deleted without authorization [ref_id=1].