Code-Projects School Fees Payment System Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in Code-Projects School Fees Payment System version 1.0. This vulnerability allows attackers to manipulate state-changing requests without proper validation, exploiting authenticated users' sessions to perform unauthorized actions.

Impact

Exploitation of this vulnerability could lead to unauthorized actions being performed on behalf of users, potentially allowing attackers to manipulate sensitive data or perform privileged operations.

Reproduction

To reproduce this vulnerability, log in as an administrator to keep the session active. Then, visit a malicious HTML page that hosts the exploit payload. This payload should be crafted to submit a form automatically to 'fees.php' with specific POST parameters, such as 'sid', 'paid', 'submitdate', 'transcation_remark', and 'save'. The absence of anti-CSRF tokens allows this forged request to be processed as if it were a legitimate user action.