PHPGurukul Student Record System Cross-Site Request Forgery Vulnerability Allowing Unauthorized Account Deletion

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the manage-students.php component of PHPGurukul Student Record System version 3.2. This vulnerability allows an attacker to deceive an authenticated administrator into submitting a fake request that deletes user accounts. The exploitation of this vulnerability results in an unauthorized loss of student records, causing a Denial of Service (DoS) condition within the application.

Impact

Exploitation of this vulnerability leads to the unauthorized deletion of student accounts, causing a disruption in service and integrity of academic data.

Reproduction

To reproduce this vulnerability, log into the application as an administrator and navigate to the 'View Students' section. Intercept a delete request using a proxy tool like Burp Suite. Generate a CSRF proof-of-concept (PoC) that targets a specific student account by modifying the request parameters. Once the PoC is created, it can be executed to delete the targeted student record, demonstrating the CSRF vulnerability.