Cross-Site Request Forgery (CSRF) in thorsten/phpmyfaq

Valid

Reported on

Dec 27th 2021


Description

Hi there phpmyfaq team, I would like to report a Cross site request Forgery in phpmyfaq. It is in publishing question.

Cross-site request forgery (also known as CSRF) is a web security vulnerability that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

Proof of Concept

  1. Install a local instance of phpmyfaq

  2. Open phpmyfaq as an anonymous user and click on Add question, then add a new question.

  3. Use admin account and access this link /phpmyfaq/admin/?action=question&id=1&is_visible=toggle, see that the published status of the question is toggled.

  4. POC picture https://drive.google.com/file/d/1IlgsfH560k001rUd-JPRpvSV4f2Ez3jx/view?usp=sharing.

  5. In real attack scenario, the attacker would feed this link to phpmyfaq admin users and when they click it, the question published status is toggled without their consent.

Impact

This vulnerability is capable of CSRF.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 5 months ago
We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back 5 months ago
Thorsten Rinne validated this vulnerability 5 months ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
Thorsten Rinne submitted a
5 months ago
Thorsten Rinne
5 months ago

Maintainer


Here's the patch for the 3.0 branch: https://github.com/thorsten/phpMyFAQ/commit/96761b62cac885b63d5d686dd884ed047ec632b1

Please review, thanks in advance. I'll merge it to main later.

M0rphling
5 months ago

Researcher


Hi there, I think the fix is good!

Regards.

Thorsten Rinne
5 months ago

Maintainer


I will release an update asap together with the second issue - but I can't reproduce it.

Thorsten Rinne confirmed that a fix has been merged on 560239 4 months ago
Thorsten Rinne has been awarded the fix bounty
to join this conversation