SourceCodester Packers and Movers Management System Cross-Site Request Forgery Vulnerability in Users.php

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Users.php component of SourceCodester Packers and Movers Management System version 1.0. This vulnerability allows attackers to create unauthorized admin accounts by sending crafted requests to an authenticated admin user.

Impact

Exploitation of this vulnerability could lead to unauthorized admin account creation, allowing attackers to gain elevated privileges and potentially access or modify sensitive information.

Reproduction

The vulnerability can be reproduced by sending a crafted request to an authenticated admin user. This request must be designed to exploit the CSRF vulnerability by creating an unauthorized admin account.

Remediation

To address this vulnerability, it is recommended to implement CSRF protection by adding CSRF tokens to all forms that perform state-changing actions, such as user creation. Additionally, the SameSite attribute should be set on session cookies to limit their use in cross-site requests. Introducing verification mechanisms for high-impact actions, like creating admin accounts, can also help mitigate this vulnerability.