phpgurukul Gym Management System Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in phpGurukul Gym Management System version 1.0. The issue arises in the User Panel's profile update feature, specifically at the '/profile.php' endpoint. The application fails to implement Anti-CSRF tokens, allowing attackers to make unauthorized changes to sensitive user information such as names, addresses, and phone numbers, potentially compromising user account integrity.

Impact

Exploitation of this vulnerability allows for unauthorized modifications to user profile information, including name, address, and phone number.

Reproduction

To reproduce this vulnerability, send a POST request to the '/profile.php' endpoint without an Anti-CSRF token. Include the 'fname', 'lname', 'email', 'mobile', 'state', 'city', 'address' fields, and submit the form. The absence of Anti-CSRF token validation will allow the request to be processed, resulting in an unauthorized profile update.