Cross-Site Request Forgery (CSRF) in thorsten/phpmyfaq

Valid

Reported on

Dec 29th 2021


Description

Hi there, another CSRF in clearing search items.

Proof of Concept

  1. Install a local instance of phpmyfaq.
  2. Go to this link /phpmyfaq/admin/?action=truncatesearchterms
  3. See that all search terms are deleted.

Impact

This vulnerability is capable of CSRF.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. a year ago
We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back a year ago
Thorsten Rinne
a year ago

Maintainer


Hi, this works only if you're logged in as admin with proper rights, right?

M0rphling
a year ago

Researcher


Hi there, yes that's true. In real attack scenario, the attacker would send the link to the admin and when they click it, all search terms are deleted.

Thorsten Rinne
a year ago

Maintainer


That's true, but works only, if the admin is logged in. I'll fix it anyway.

Thorsten Rinne validated this vulnerability a year ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
Thorsten Rinne submitted a
a year ago
Thorsten Rinne
a year ago

Maintainer


This is the patch for the 3.0 branch, will be merged later to main:

https://github.com/thorsten/phpMyFAQ/commit/4310640935684486bed5edd5de211d8fa0d3372a

M0rphling
a year ago

Researcher


Thanks Thorsten.

Thorsten Rinne marked this as fixed in 3.0.10 with commit 560239 a year ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation