Password change IDOR: any user can change any other user's password

[lighthousekeeper1212]

Summary

In change_password.php, the old password verification checks against the current logged-in user, but the password UPDATE targets a user ID from a hidden form field that can be tampered.

Details

File: change_password.php lines 16-23

// Line 16: Verifies old password against CURRENT logged-in user
if(sha1($_POST['old-password']) !== current_user()['password'] ){
    $session->msg('d', "Your old password not match");
    redirect('change_password.php',false);
}

// Line 21-23: But updates password for user ID from POST (hidden field)
$id = (int)$_POST['id'];
$new = remove_junk($db->escape(sha1($_POST['new-password'])));
$sql = "UPDATE users SET password ='{$new}' WHERE id='{$db->escape($id)}'";

The hidden field at line 55:

<input type="hidden" name="id" value="<?php echo (int)$user['id'];?>">

Impact

Any authenticated user (including level 3 staff) can:

1. Enter their OWN old password (which validates successfully)
2. Tamper the hidden id field to target ANY user ID (including admin)
3. Set a new password for that user
4. Take over any account including admin accounts

Suggested Fix

Use the session-based user ID instead of trusting the POST data:

$id = (int)current_user()['id'];  // Don't trust hidden field
$sql = "UPDATE users SET password ='{$new}' WHERE id='{$db->escape($id)}'";

Discovery

Found via manual code review comparing the old password check target vs the password update target.