ScriptAndTools eCommerce Website in PHP Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in ScriptAndTools eCommerce-website-in-PHP version 3.0. This vulnerability allows attackers to perform unauthorized actions by exploiting the application's lack of proper CSRF protection. Multiple endpoints, including 'admin/customer-delete.php' and 'admin/subscriber-delete.php', are affected. The vulnerability can lead to unauthorized deletion of user and subscriber accounts, causing potential data loss and reputational damage.

Impact

Exploitation of this vulnerability allows for cross-site request forgery, leading to unauthorized actions such as deleting user or subscriber accounts. This could result in data loss, including the removal of important customer information and email lists, and could disrupt business operations.

Reproduction

To reproduce this vulnerability, log into the application as an admin user. Then, send a request to 'admin/customer-delete.php' or 'admin/subscriber-delete.php' with a valid 'id' parameter corresponding to a user or subscriber account. The absence of a CSRF token in the request will allow the deletion to be processed without authorization.

Remediation

Implement CSRF tokens for actions that modify data or user accounts, and ensure that the tokens are properly validated on the server side.