CVE-2025-65647: Unveiling an IDOR Vulnerability in PHPGURUKUL Online Shopping Portal 2.1

Overview

CVE-2025-65647 describes an Insecure Direct Object Reference (IDOR) vulnerability found in the Track order function of PHPGURUKUL Online Shopping Portal version 2.1. This vulnerability allows an attacker to potentially access sensitive order information belonging to other users by manipulating the `oid` parameter in the track order functionality. This can lead to unauthorized information disclosure, posing a significant risk to user privacy and security.

Technical Details

The vulnerability lies in how the application handles the `oid` (order ID) parameter within the order tracking feature. The application fails to properly validate and authorize whether the user requesting the order information is actually the owner of that order. An attacker can potentially modify the `oid` parameter to an order ID they do not own, thereby gaining access to the associated order details, including personal information, order history, and shipping addresses.

Specifically, the application likely uses a direct reference to the order ID in the database or file system without implementing proper access controls. This allows attackers to enumerate and access orders they are not authorized to view.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-65647 a score of 4.3 (Medium). This score reflects the following characteristics:

• Attack Vector (AV): Network (N) – The vulnerability can be exploited remotely over the network.
• Attack Complexity (AC): Low (L) – Exploitation is relatively easy to achieve.
• Privileges Required (PR): None (N) – No user privileges are required to exploit the vulnerability.
• User Interaction (UI): None (N) – No user interaction is required to exploit the vulnerability.
• Scope (S): Unchanged (U) – An exploited vulnerability can only affect resources managed by the same security authority.
• Confidentiality Impact (C): Low (L) – There is some information disclosure, but the impact is limited.
• Integrity Impact (I): None (N) – There is no impact to data integrity.
• Availability Impact (A): None (N) – There is no impact to system availability.

While the score is medium, the potential impact on user privacy should not be underestimated.

Possible Impact

Successful exploitation of this IDOR vulnerability can lead to:

• Information Disclosure: Attackers can gain access to sensitive order details, including customer names, addresses, phone numbers, email addresses, and purchased products.
• Privacy Violation: User privacy is compromised as attackers can view personal information without authorization.
• Potential for Further Attacks: The disclosed information could be used for phishing attacks, identity theft, or other malicious activities.

Mitigation or Patch Steps

To mitigate this vulnerability, the following steps are recommended:

• Implement Proper Authorization Checks: Ensure that the application verifies that the user requesting the order information is the legitimate owner of that order. Do not rely solely on the `oid` parameter.
• Use Indirect Object References: Replace direct use of order IDs with indirect references or tokens that are not easily guessable or enumerable.
• Input Validation and Sanitization: Implement thorough input validation and sanitization to prevent malicious input from being processed.
• Principle of Least Privilege: Ensure that users only have access to the resources they need to perform their tasks.
• Patch the Application: If a patch is available from PHPGURUKUL, apply it immediately. Monitor the PHPGURUKUL website for security updates.
• Web Application Firewall (WAF): Implement a WAF to detect and block malicious requests targeting the `oid` parameter. Consider rulesets specifically designed to detect IDOR attempts.

References

• CVE ID: CVE-2025-65647
• GitHub Advisory: https://github.com/SachuuZ/CVE/tree/main/CVE-2025-65647
• PHPGURUKUL: https://phpgurukul.com/