Code-Projects Laundry System Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability exists in Code-Projects Laundry System version 1.0. This issue allows attackers to manipulate state-changing requests without proper validation, exploiting authenticated users' sessions to execute unauthorized actions. The vulnerability affects all functionalities that alter system status or user data, as the application fails to implement adequate CSRF protection.

Impact

Exploitation of this vulnerability could lead to unauthorized actions being performed on behalf of authenticated users, potentially allowing attackers to escalate privileges, create administrative accounts, or manipulate sensitive data.

Reproduction

To reproduce this vulnerability, log in as an administrator and maintain an active session. Then, visit a malicious HTML page that hosts the exploit payload. This page should automatically submit a request to the '/data/insert_laundry.php' endpoint, including hidden form fields that specify the customer, priority, weight, and type. The request will be processed without any CSRF token validation, resulting in a new laundry entry being created under the administrator's account.