Cross-Site Request Forgery (CSRF) in thorsten/phpmyfaq


Reported on

Dec 27th 2021


Hi there phpmyfaq team, I would like to report a Cross site request Forgery in phpmyfaq. It is in publishing question.

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

Proof of Concept

  1. Install a local instance of phpmyfaq

  2. Open phpmyfaq as an anonymous user and click on Add question, then add a new question.

  3. Use admin account and access this link /phpmyfaq/admin/?action=question&id=1&is_visible=toggle, see that the published status of the question is toggled.

  4. POC picture

  5. In real attack scenario, the attacker would feed this link to phpmyfaq admin users and when they click it, the question published status is toggled without their consent.


This vulnerability is capable of CSRF.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. a year ago
We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back a year ago
Thorsten Rinne validated this vulnerability a year ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
Thorsten Rinne submitted a
a year ago
Thorsten Rinne
a year ago


Here's the patch for the 3.0 branch:

Please review, thanks in advance. I'll merge it to main later.

a year ago


Hi there, I think the fix is good!


Thorsten Rinne
a year ago


I will release an update asap together with the second issue - but I can't reproduce it.

Thorsten Rinne marked this as fixed in 3.0.10 with commit 560239 a year ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation