SourceCodester Best House Rental Management System POST Request ajax.php cross-site request forgery

Vulnerability

The /rental/ajax.php?action=delete_user endpoint in SourceCodester Best House Rental Management System 1.0 is vulnerable to Cross-Site Request Forgery (CSRF) [1]. This problematic behavior allows an attacker to forge a POST request that deletes a user (specified by the id parameter) without any CSRF token or other origin validation [1]. The endpoint is part of the POST Request Handler component.

Exploitation

An attacker does not need authentication but must trick an authenticated admin user into visiting a malicious page or clicking a crafted link [1]. The attacker crafts an HTML form that auto-submits a POST request to http://localhost/rental/ajax.php?action=delete_user with a body parameter id=<target_user_id> [1]. When the victim, who has an active session, loads the attacker's page, the form submission triggers the deletion of the specified user account [1]. The attacker can set the id parameter to any existing user ID, potentially deleting all admin accounts in sequence.

Impact

Successful exploitation results in the unauthorized deletion of admin or user accounts [1]. An attacker could lock out legitimate administrators by deleting all admin accounts, leading to complete administrative lockout, loss of user management capabilities, and severe disruption of business operations [1]. The impact is primarily on availability, as user accounts (including admin accounts) can be removed.

Mitigation

The vendor, SourceCodester, has not yet released a patched version as of the publication date [2]. The recommended mitigation is to implement CSRF protection by using CSRF tokens that validate the authenticity of each request [1]. As no official fix is available, administrators should be aware of the exposure and consider applying a web application firewall rule to block unexpected POST requests to /rental/ajax.php?action=delete_user or disable the endpoint if not needed.