SourceCodester Simple Inventory System tableedit.php#page=editprice cross-site request forgery

An attacker crafts a malicious HTML page containing a form that auto-submits a POST request to `updateprice.php` with the `ITEM` and `itemprice` parameters. When a logged-in victim visits the attacker's page, the form is submitted silently, modifying product prices without the victim's consent. The attack is launched remotely and requires no special privileges beyond the victim being authenticated [ref_id=1].

The vulnerability is in the file `/tableedit.php#page=editprice` and the backend handler `updateprice.php`. The parameter `$_POST['itemnumber']` (referred to as `ITEM` in the PoC) is processed without any token or CSRF protection [ref_id=1].

No patch has been published by the vendor. The advisory states that the root cause is a "lack of token verification mechanism" in `tableedit.php` and `updateprice.php`, where the backend directly splices POST data into SQL update statements without validating the request origin [ref_id=1]. The recommended remediation is to implement anti-CSRF tokens (e.g., a nonce or synchronizer token) on the form and verify the token server-side before processing the price update.

1. Save the PoC HTML from the reference write-up as an `.html` file, adjusting the form action URL to point to the target's `updateprice.php` endpoint. 2. Ensure the victim is logged into the Simple Inventory System. 3. Deliver the HTML file to the victim (e.g., via email or link) and have them open it. 4. The form auto-submits, changing the product price to the attacker-specified value (e.g., 888) [ref_id=1].