Stored XSS via Editing config in thorsten/phpmyfaq

Valid

Reported on

Jul 2nd 2022


Description

Hello, I'm reporting several Stored XSS vulnerabilities in same report because huntr.dev now want us to do this. Please consider the vulnerabilities independently.

Vuln one :

It's possible to inject javascript code in "URL of your FAQ" parameter in admin's edit config form. The malicious code is triggered on almost every page of the site.

Vuln two :

It's possible to inject javascript code in "Contact information" parameter in admin's edit config form. The malicious code is triggered on contact page.

Proof of Concept

Vuln one :

The edit config form is located at : https://{ENDPOINT}/admin/?action=config

Put this payload in "URL of your FAQ" box :

"><img src=x onerror=alert(document.domain)>

Be careful when you reproduce this issue, this will broke major part of website's pages.

Vuln two :

The edit config form is located at : https://{ENDPOINT}/admin/?action=config

Put this payload in "Contact Information" box :

"><img src=x onerror=alert(document.domain)>

Go to https://{ENDPOINT}/index.php?action=contact and see the xss triggered !

Impact

Stored XSS, client-side javascript code execution.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. a month ago
We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back a month ago
Thorsten Rinne validated this vulnerability a month ago

Well, it works, but an admin would harm his own page...

jhond0e has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the thorsten/phpmyfaq team. We will try again in 7 days. a month ago
Thorsten Rinne gave praise 25 days ago
Here's the fix: https://github.com/thorsten/phpMyFAQ/commit/ff7a80038c44b69a09383d2f11565cc86264bdbd It will be released with 3.1.6 the next days.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
We have sent a second fix follow up to the thorsten/phpmyfaq team. We will try again in 10 days. 21 days ago
Thorsten Rinne confirmed that a fix has been merged on ff7a80 11 days ago
Thorsten Rinne has been awarded the fix bounty
to join this conversation