Name Field and all other required Fields Bypass while doing FAQ Proposals in thorsten/phpmyfaq
Reported on
Jan 25th 2023
Dear Ladies and Gentlemen,
I was able to identify in the Process of sending a FAQ Proposal a Username and all other required Fields Bypass Vulnerability. The Attacker can bypass all the required fields by sending a space at any required field like name, text, answer or question which is a required Point and send empty FAQ Proposals and spam, scan or due further malicious things.
Through this if the attacker wants to send payloads or try to scan the system he can send a many proposals as he wants without alerting the admin which account and username, email, text, answer etc. is responsible for that. Plus that its a clear Bypass cause we can bypass through the Space ALL REQUIRED FIELDS FOR SENDING A FAQ PROPOSAL.
The Process of the Vulnerability:
Go to https://roy.demo.phpmyfaq.de/index.php?action=add&cat=0
Fill everthing with the required fields-> Intercept the Request
Replace all the required fields with a single space
Go and login as admin and verify the submitted FAQ Proposals -> You will not any required Information which has been sent through the FAQ Proposal
Thank you very much for your time.
Best regards Ahmed Hassan
Impact
Dear Ladies and Gentlemen,
I was able to identify in the Process of sending a FAQ Proposal a Username and all other required Fields Bypass Vulnerability. The Attacker can bypass all the required fields by sending a space at any required field like name, text, answer or question which is a required Point and send empty FAQ Proposals and spam, scan or due further malicious things.
Through this if the attacker wants to send payloads or try to scan the system he can send a many proposals as he wants without alerting the admin which account and username, email, text, answer etc. is responsible for that. Plus that its a clear Bypass cause we can bypass through the Space ALL REQUIRED FIELDS FOR SENDING A FAQ PROPOSAL.
The Process of the Vulnerability:
Go to https://roy.demo.phpmyfaq.de/index.php?action=add&cat=0
Fill everthing with the required fields-> Intercept the Request
Replace all the required fields with a single space
Go and login as admin and verify the submitted FAQ Proposals -> You will not any required Information which has been sent through the FAQ Proposal
Thank you very much for your time.
Best regards Ahmed Hassan
This only works, if the admin disables the captcha protection or the attacker already has an user account. Otherwise it's a very big manual effort to bypass the captcha and all the checks.
Hello,
Thats true but this can be automated through Burp Intruder and let it automatically send requests by only geeting one valid Request. (Even without captcha).
Through the current Captcha Bypass it is also easier to exploit this Vulnerability.
Generally IT should Not be possible to submit free spaces an answer. This is also with Captcha possible.
I fixed this bug but for me it’s not a security issue.
It is a misconfiguration. So i would be very happy if you can verify and accept the Miscofiguration which can i have reported you.
Thank you very much.
Best regards Ahmed Hassan
Yes but why you marked it as informative when its a Bug ?
As you have mitigated the misconfiguration i reported you should Accept and validate the Report. Because you have patched the Bug even If its Not a big Vulnerability But its a misconfiguration and a Bug.
So i would expect that you Berufs the Report please cause you actually patched my reported Bug.
I have reverted the report back to pending as requested, feel free to validate again:)
Hello,
As submitted before Thorsten. This will be okay.
@maintainer, I can assign a CVE, just let me know that you are happy to proceed.