XSS Stored inside website title in thorsten/phpmyfaq


Reported on

Nov 1st 2022

📜 Description

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users.

The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping.

In our application, XSS occurs when an administrator insert an XSS payload inside the website title.

🕵️ Proof of Concept

Insert XSS payload inside website title

Payload used : Super title !</title><script>alert('XSS in title !')</script>

XSS is executed !

🔐 Mitigations

For XSS attacks to be successful, an attacker needs to insert and execute malicious content in a webpage. Each variable in a web application needs to be protected. Ensuring that all variables go through validation and are then escaped or sanitized is known as perfect injection resistance. Any variable that does not go through this process is a potential weakness. Frameworks make it easy to ensure variables are correctly validated and escaped or sanitised. In PHP, you can use the htmlspecialchars function to sanitize variables.

As a last line of defense, you can use Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur or Web Application Firewall (WAF).

📚 References


XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise.

Example of impacts :

  • Disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account (Only if HttpOnly cookie's flag is set to false).
  • Redirecting the user to some other page or site (like phishing websites)
  • Modifying the content of the current page (add a fake login page that sends credentials to the attacker).
  • Automatically download malicious files.
  • Requests access to the victim geolocation / camera.
  • ...


We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. a year ago
We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back a year ago
Thorsten Rinne validated this vulnerability a year ago
xanhacks has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne
a year ago


@xanhacks true, but it only works if an admin would harm his own installation.

Thorsten Rinne marked this as fixed in 3.1.9 with commit 05520b a year ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability will not receive a CVE
header.php#L235 has been validated
a year ago


I know, this is a bit far-fetched, that's why it is a low vulnerability.

An example of exploitation could be : An administrator want to steal a password from another admin by creating a fake login form.

Thorsten Rinne gave praise 9 months ago
Thanks again, v3.1.9 is now released!
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Thorsten Rinne published this vulnerability 9 months ago
to join this conversation