Cross-Site Request Forgery (CSRF) in thorsten/phpmyfaq

Valid

Reported on

Dec 29th 2021

Description

Hi there, another CSRF in clearing search items.

Proof of Concept

  1. Install a local instance of phpmyfaq.
  2. Go to this link /phpmyfaq/admin/?action=truncatesearchterms
  3. See that all search terms are deleted.

Impact

This vulnerability is capable of CSRF.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 2 years ago
We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back 2 years ago
Thorsten Rinne
2 years ago

Maintainer

Hi, this works only if you're logged in as admin with proper rights, right?

ComradeKtg
2 years ago

Researcher

Hi there, yes that's true. In real attack scenario, the attacker would send the link to the admin and when they click it, all search terms are deleted.

Thorsten Rinne
2 years ago

Maintainer

That's true, but works only, if the admin is logged in. I'll fix it anyway.

Thorsten Rinne validated this vulnerability 2 years ago
ComradeKtg has been awarded the disclosure bounty
The fix bounty is now up for grabs
Thorsten Rinne submitted a
patch
2 years ago
Thorsten Rinne
2 years ago

Maintainer

This is the patch for the 3.0 branch, will be merged later to main:

https://github.com/thorsten/phpMyFAQ/commit/4310640935684486bed5edd5de211d8fa0d3372a

ComradeKtg
2 years ago

Researcher

Thanks Thorsten.

Thorsten Rinne marked this as fixed in 3.0.10 with commit 560239 2 years ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation