Open in app

Sign in

Write

Sign in

phpMyFAQ-3.1.12 CSV Injection

Mirabbas Agalarov
2 min readMay 4, 2023

--

#Title:

phpMyFAQ-3.1.12 CSV Injection

#Vulnerability discovery:

This is a csv injection vulnerability found in phpMyFAQ-3.1.12.This vulnerability was discovered by me on April 21, 2023.

#Description of the vulnerability:

phpMyFAQ is a mobile-friendly, feature-rich, scalable open source FAQ web app for PHP 8 .
As you know, the administrator can import many site data in csv format.
Csv injection can occur if you do not control input validation and directly use the input when creating a csv file.
Input validation is the cause of almost all vulnerabilities.

#Affected Versions:

This and all previous versions are affected

#Step by Step Exploitation:

Step 1. login as user
step 2. Go to user control panel and change name as =calc|a!z| and save

step 3. If admin Export users as CSV ,in The computer of admin occurs csv injection and will open calculator

OffSec's Exploit Database Archive

Exploit Title: phpMyFAQ v3.1.12 - CSV Injection Application: phpMyFAQ Version: 3.1.12 Bugs: CSV Injection Technology…

www.exploit-db.com

youtube poc-https://youtu.be/lXwaexX-1uU

Csv
Bug Bounty
Vulnerability
Cybersecurity
Hacking

--

--

Mirabbas Agalarov

Written by Mirabbas Agalarov

51 Followers

Peneteration Tester.(0xdec)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams