PHPGurukul News Portal Cross-Site Request Forgery Vulnerability

A cross-site request forgery (CSRF) vulnerability has been identified in PHPGurukul News Portal version 1.0. The issue arises from the lack of anti-CSRF protections on the admin endpoint for adding sub-admins. This vulnerability allows attackers to create sub-admin accounts without the knowledge or consent of the user.

Impact

Exploitation of this vulnerability allows for the unauthorized creation of sub-admin accounts, which can lead to abuse of privileges and a complete compromise of the admin panel's integrity.

Reproduction

To reproduce this vulnerability, log into the News Portal as an admin or sub-admin. While authenticated, open a crafted HTML page that automatically submits a POST request to the admin endpoint for adding sub-admins. The request should include the necessary fields to create a new sub-admin account. Once the request is submitted, the new sub-admin account will be created without the user's consent.

Remediation

It is recommended to implement CSRF tokens for all state-changing requests and to validate user roles on the server side before processing admin actions.