CVE-2025-70150 - CodeAstro Membership Management System 1.0: Unauthenticated Broken Access Control + SQL Injection via delete_members.php
Unauthenticated attackers can delete arbitrary members and inject SQL via /delete_members.php?id in CodeAstro Membership Management System 1.0.
Summary
| Field | Detail |
|---|---|
| CVE ID | CVE-2025-70150 |
| Product | Membership Management System in PHP 1.0 |
| Vendor | CodeAstro |
| Vulnerability | Missing Authentication + SQL Injection |
| Attack Vector | Remote, Unauthenticated |
| CVSS v3.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H — Base Score: 9.8 |
| CWE | CWE-306, CWE-862, CWE-89 |
| Discoverer | MinhKhoa |
| Date | 2025-12-26 |
1. Description
CodeAstro Membership Management System in PHP 1.0 contains an Incorrect Access Control / Missing Authentication vulnerability in delete_members.php.
Because the endpoint does not enforce authentication or authorization checks, a remote unauthenticated attacker can directly invoke deletion operations by requesting the script with the expected identifier parameter.
In addition, the same id parameter is concatenated directly into SQL statements without validation or prepared statements, resulting in SQL Injection.
Affected endpoint:
GET /delete_members.php?id=...
** CVSS v3.1 :** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (Base Score: 9.8)
(SQLi impact depends on the database privileges granted to the application account.)
2. Root Cause Analysis
2.1 Missing authentication/authorization
delete_members.php performs privileged deletion actions without verifying a valid authenticated session (e.g., isset($_SESSION['user_id'])) or role-based authorization.
This matches CWE-306 (Missing Authentication for Critical Function) / CWE-862 (Missing Authorization).
2.2 SQL Injection via id
The script uses the user-controlled id parameter directly inside SQL queries (no casting, no prepared statements).
Example pattern (simplified):
1
2
3
4
5
$memberId = $_GET['id'];
// Queries using $memberId directly, e.g.:
SELECT * FROM renew WHERE member_id = $memberId;
DELETE FROM renew WHERE member_id = $memberId;
This results in CWE-89 (SQL Injection).
3. Steps to Reproduce (PoC)
All requests below are sent without a Cookie header (no prior login required).
ReplaceTARGETand use a valid member ID from your deployment/database.
PoC #1 — Unauthorized deletion (unauthenticated)
⚠️ Destructive: Perform this only on a local test instance / test data.
1
2
3
4
5
6
7
GET /delete_members.php?id=-1+OR+1=1;-- HTTP/1.1
Host: localhost:4444
Connection: keep-alive
Content-Length: 2
Observed result: The target member record (and related records such as renew entries) is deleted without requiring authentication.
4. Impact
- Unauthorized data deletion: Unauthenticated attackers can delete arbitrary members and potentially related records, causing data loss and service disruption.
- SQL injection: Attackers can influence SQL execution. Depending on DB privileges, this can lead to unauthorized disclosure and/or modification/deletion of database records.
- Availability impact: Attackers can cause performance degradation via time-based (
SLEEP) or expensive queries.
5. Recommendation / Fix
5.1 Enforce authentication/authorization for destructive actions
At the start of delete_members.php:
1
2
3
4
5
6
7
<?php
session_start();
if (!isset($_SESSION['user_id'])) {
http_response_code(403);
exit;
}
?>
Additionally enforce role checks if deletion is intended for admins only.
5.2 Use POST + CSRF protection for deletion
- Convert deletion to a
POSTaction. - Add CSRF tokens for authenticated sessions.
5.3 Use parameterized queries (prepared statements)
- Parameterize
idand all SQL inputs. - Strictly validate/cast
idto integer (defense-in-depth).
5.4 Apply least privilege to database user
- Restrict DB account permissions to only what is necessary.
6. References
- CWE-306: Missing Authentication for Critical Function
- CWE-862: Missing Authorization
- CWE-89: SQL Injection
- OWASP: Broken Access Control
- OWASP: SQL Injection