CVE-2017-15808 in phpMyFAQ
Summary
by MITRE
In phpMyFaq before 2.9.9, there is CSRF in admin/ajax.config.php.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 12/10/2025
The vulnerability CVE-2017-15808 represents a cross-site request forgery weakness found in phpMyFaq versions prior to 2.9.9, specifically within the admin/ajax.config.php component. This flaw exposes the application to unauthorized administrative actions that can be executed without the knowledge or consent of legitimate users. The vulnerability stems from the absence of proper anti-CSRF mechanisms in the administrative AJAX configuration endpoint, making it susceptible to exploitation by malicious actors who can craft specially crafted requests to manipulate the application's configuration settings.
The technical implementation of this vulnerability allows attackers to leverage the lack of anti-CSRF tokens in the admin/ajax.config.php script. When an authenticated administrator visits a malicious website or clicks on a crafted link, the attacker can initiate unauthorized configuration changes to the phpMyFaq installation. This occurs because the application does not validate the origin of requests made to the AJAX configuration endpoint, nor does it require any form of token verification to ensure that the request originates from a legitimate administrative interface. The flaw aligns with CWE-352, which specifically addresses Cross-Site Request Forgery vulnerabilities, where the application fails to validate that requests originate from the intended source.
The operational impact of this vulnerability is significant as it provides attackers with the ability to modify critical system configurations without requiring authentication credentials. An attacker could potentially alter database connection settings, modify user permissions, change administrative passwords, or disable security features within the phpMyFaq application. This could lead to complete system compromise, data exfiltration, or service disruption. The vulnerability is particularly dangerous in environments where administrators regularly browse untrusted websites or where the application is deployed in shared hosting environments where social engineering attacks are common.
From an ATT&CK framework perspective, this vulnerability maps to technique T1078.004, which involves legitimate credentials for remote access, and T1566, which covers credential harvesting through social engineering. The attack chain typically begins with an attacker crafting a malicious webpage that automatically submits requests to the vulnerable admin/ajax.config.php endpoint. The attack leverages the trust relationship between the browser and the phpMyFaq application, where the browser automatically includes any relevant cookies or authentication tokens. Organizations should implement proper input validation and output encoding practices as recommended by OWASP guidelines to prevent such vulnerabilities. The mitigation strategy involves ensuring that all administrative endpoints require proper anti-CSRF tokens, implementing strict referer header validation, and enforcing the principle of least privilege for administrative users. Additionally, organizations should update to phpMyFaq version 2.9.9 or later, which includes proper CSRF protection mechanisms. The vulnerability also highlights the importance of proper session management and the need for applications to validate the authenticity of all requests, particularly those that modify critical system configurations or user permissions.