# Exploit Title: Pharmacy Point of Sale System 1.0 - 'Add New User' Cross-Site Request Forgery (CSRF) # Date: 10/11/2021 # Exploit Author: Murat DEMIRCI (@butterflyhunt3r) # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/14957/pharmacy-point-sale-system-using-php-and-sqlite-free-source-code.html # Version: 1 # Tested on: Windows 10 Detail: The application is not using any security token to prevent it against CSRF. Therefore, malicious user can add new administrator user account by using crafted post request. CSRF PoC: --------------------------------------------------------------------------------------