SourceCodester Pet Grooming Management Software Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the change password functionality of SourceCodester Pet Grooming Management Software version 1.0. The issue arises because the application fails to implement sufficient anti-CSRF tokens or same-site cookie restrictions. This allows attackers to deceive authenticated users into unintentionally changing their passwords. Exploitation requires the victim to be logged into the admin panel and to visit an attacker-controlled page that can send a password change request without proper validation.

Impact

Successful exploitation allows for unauthorized password changes, potentially leading to unauthorized access to user accounts.

Reproduction

To reproduce this vulnerability, log into the application as an admin. Once logged in, create a malicious HTML file that sends a password change request to the '/pet_grooming/admin/change_pass.php' endpoint. This file can be designed to automatically submit the request when opened. After creating the file, open it in a browser while still logged into the admin panel. The password will be changed without consent, and this can be verified by checking the database or attempting to log in with the new password.