PHPgurukul Online Course Registration Missing CSRF Protection Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in PHPgurukul Online Course Registration version 3.1. The application lacks CSRF protection on all administrative forms, allowing attackers to perform unauthorized actions on behalf of authenticated administrators by tricking them into visiting a malicious webpage. This vulnerability affects several administrative endpoints, including course management and student management pages.

Impact

Exploitation of this vulnerability allows for unauthorized actions to be performed on behalf of admin users. This includes creating or deleting courses, deleting student records, resetting student passwords, and registering unauthorized student accounts.

Reproduction

To reproduce this vulnerability, log in as an admin user and navigate to the course management page. Once there, create a malicious HTML page that includes a form targeting the course management endpoint. This form should be set to automatically submit after a short delay. After saving this page, open it in the same browser where the admin session is active. The form will be submitted automatically, creating a new course without the admin's knowledge. Similarly, this vulnerability can be exploited on the student management page to delete student records by sending a crafted request that exploits the missing CSRF protection.

Remediation

To address this vulnerability, implement CSRF tokens in administrative forms. Generate a token, include it in the form as a hidden input, and validate it upon submission. Additionally, consider using the SameSite cookie attribute to prevent CSRF by blocking session cookies from being sent with cross-site requests.