PHP Vulnerability Report #2
Description
The dashboard located here has certain security issues that must be resolved in a reasonable time.
The dashboard uses prepared statements to prevent SQL injection, however fetch_recent_licenses(), fetch_usage_stats(), and fetch_api_key() use prepared statements that do not concatenate user input into queries.
The dashboard assumes that $_SESSION['user_id'] is always active/set, but there's no session_start(). Ensure it is included in config.php or in the dashboard file.
The dashboard correctly uses htmlspecialchars() for sanitization, which prevents XSS cross-site scripting. However, APP_NAME is echoed without sanitation in the <title> tag:
<title>Dashboard - <?php echo APP_NAME; ?></title>To fix this, it should be wrapped in htmlspecialchars() I.e., htmlspecialchars(APP_NAME, ENT_QUOTES, 'UTF-8')
As well, BloxAuth allows the creation of API keys, which implements a lack of CSRF protection. Implement CSRF tokens to prevent unauthorized submissions of creation, copying, or others.
BloxAuth can be click-jacked in many ways, so you should implement these security headers in config.php:
header("X-Frame-Options: DENY");
header("X-Content-Type-Options: nosniff");
header("X-XSS-Protection: 1; mode=block");The SQL query also fetches subscription_end_date, but it isn't ever displayed. Consider adding:
<p class="mt-1 text-sm text-gray-500">Expires on: <?php echo htmlspecialchars($user_info['subscription_end_date']); ?></p>As well, if fetch_recent_licenses() or fetch_recent_user_activities() return empty arrays, the list will appear blank. To fix, you should add fallback messages:
<?php if (empty($recent_licenses)): ?>
<tr><td colspan="4" class="px-6 py-4 text-center text-gray-500">No recent licenses found.</td></tr>
<?php endif; ?>