/

Cross-Site Request Forgery (CSRF) in thorsten/phpmyfaq

Valid

Reported on

Dec 27th 2021

Description

Hi there phpmyfaq team, I would like to report a Cross site request Forgery in phpmyfaq. It is in publishing question.

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

Proof of Concept

Install a local instance of phpmyfaq
Open phpmyfaq as an anonymous user and click on Add question, then add a new question.
Use admin account and access this link /phpmyfaq/admin/?action=question&id=1&is_visible=toggle, see that the published status of the question is toggled.
POC picture https://drive.google.com/file/d/1IlgsfH560k001rUd-JPRpvSV4f2Ez3jx/view?usp=sharing.
In real attack scenario, the attacker would feed this link to phpmyfaq admin users and when they click it, the question published status is toggled without their consent.

Impact

This vulnerability is capable of CSRF.

References

https://portswigger.net/web-security/csrf

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. a year ago

We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back a year ago

Thorsten Rinne validated this vulnerability a year ago

M0rphling has been awarded the disclosure bounty

The fix bounty is now up for grabs

Thorsten Rinne submitted a

a year ago

commented a year ago

Maintainer

Here's the patch for the 3.0 branch: https://github.com/thorsten/phpMyFAQ/commit/96761b62cac885b63d5d686dd884ed047ec632b1

Please review, thanks in advance. I'll merge it to main later.

commented a year ago

Researcher

Hi there, I think the fix is good!

Regards.

commented a year ago

Maintainer

I will release an update asap together with the second issue - but I can't reproduce it.

Thorsten Rinne marked this as fixed in 3.0.10 with commit 560239 a year ago

Thorsten Rinne has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. a year ago

We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back a year ago

Thorsten Rinne validated this vulnerability a year ago

M0rphling has been awarded the disclosure bounty

The fix bounty is now up for grabs

Thorsten Rinne submitted a

a year ago

commented a year ago

Maintainer

Here's the patch for the 3.0 branch: https://github.com/thorsten/phpMyFAQ/commit/96761b62cac885b63d5d686dd884ed047ec632b1

Please review, thanks in advance. I'll merge it to main later.

commented a year ago

Researcher

Hi there, I think the fix is good!

Regards.

commented a year ago

Maintainer

I will release an update asap together with the second issue - but I can't reproduce it.

Thorsten Rinne marked this as fixed in 3.0.10 with commit 560239 a year ago

Thorsten Rinne has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation