SourceCodester Pet Grooming Management Software Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in SourceCodester Pet Grooming Management Software version 1.0. This issue arises because the application does not properly validate requests, allowing attackers to manipulate password reset processes and potentially take over admin accounts. The vulnerability can be exploited remotely, without authentication, but requires user interaction.

Impact

Exploitation of this vulnerability allows for cross-site request forgery, specifically targeting password reset functionalities, which could lead to unauthorized access to admin accounts.

Reproduction

To reproduce this vulnerability, send a POST request to the 'change_pass.php' endpoint within the 'admin' directory. The request must include a 'password' field with the desired new password value and an 'update' field. This can be automated with a script that simulates a form submission, such as a Burp Suite-generated PoC.