Code-Projects Traffic Offense Reporting System Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in version 1.0 of the Code-Projects Traffic Offense Reporting System. This vulnerability allows attackers to manipulate state-changing requests without proper validation, exploiting authenticated users' sessions to perform unauthorized actions. The issue arises because the application fails to implement anti-CSRF tokens or verify the origin of requests, leaving critical functionalities exposed to exploitation.

Impact

Exploitation of this vulnerability could lead to unauthorized actions being performed on behalf of users, potentially allowing attackers to escalate privileges, manipulate sensitive data, or disrupt system integrity. In a worst-case scenario, this could result in a complete takeover of the application, especially when combined with social engineering tactics.

Reproduction

To reproduce this vulnerability, log into the application as an administrator and navigate to a function that modifies user data or system status, such as the 'ADD USER' feature. While active in this session, visit a malicious HTML page that hosts the exploit payload. This page should automatically submit a request to the 'saveuser.php' endpoint, including the necessary parameters to create a new user with administrative privileges. Once the request is processed, the new admin account will appear in the system.