Employee Leave Management System Cross-Site Request Forgery Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the Employee Leave Management System (ELMS) version 2.1. This vulnerability allows remote attackers to escalate privileges by exploiting the manage-employee.php component. The issue arises because the application does not properly validate requests to deactivate employees, enabling attackers to trick administrators into unintentionally disabling user accounts.

Impact

Exploitation of this vulnerability allows attackers to manipulate employee status without authorization, leading to unauthorized account deactivations. This could disrupt operations, especially if critical personnel are affected, and may be exploited in conjunction with other vulnerabilities to target specific accounts.

Reproduction

To reproduce this vulnerability, log in as an admin and navigate to the 'Manage Employees' section. Intercept the request that is sent when deactivating an employee. This request will include the 'inid' parameter, which identifies the employee to be deactivated. Create a Cross-Site Request Forgery proof of concept (PoC) that sends a request to deactivate the employee using the intercepted 'inid' value. When the admin visits the page hosting the PoC, the employee will be deactivated without their consent.

Remediation

To address this vulnerability, implement CSRF protection tokens for all state-changing requests. Ensure that these tokens are validated on the server side. Additionally, consider using Same-Site cookie attributes, enforcing proper HTTP methods for sensitive actions, validating Origin or Referer headers, and adding server-side confirmation for critical operations.