Description

In PhpMyFaq, while submitting a question, the mail parameter is accepting unsanitized user input which leads to Stored XSS vulnerability, executing on Admin Panel (/admin/?action=question).

Proof of Concept

1. Go to https://roy.demo.phpmyfaq.de/index.php?action=ask&category_id=0
2. Fill up all the necessary forms except Your email address field
3. Enter the payload in the Your email address field
4. Submit

XSS will execute in Admin Panel (https://roy.demo.phpmyfaq.de/admin/?action=question)

PoC

Payload

"><iframe/src=javascript:prompt(3)>"@x.y

Another XSS due to same occuerence:

Similar to this, mail parameter in every function is vulnerable to XSS! While making a comment in a FAQ, capture the request via Burp Suite and change the mail parameter to below payload.

Example REQUEST:

id=1&lang=en&type=faq&user=Demouser&mail="><svg/onload=confirm(document.domain)>"@x.y&comment_text=hello

REQUEST

Payload

"><svg/onload=confirm(document.domain)>"@x.y

XSS executing on

https://roy.demo.phpmyfaq.de/admin/?action=comments

FAQ page

https://roy.demo.phpmyfaq.de/index.php?action=faq&cat=1&id=1&artlang=en

PoC 2

Impact

If an attacker can control a script that is executed in the admin's browser, then they can typically fully compromise that admin user. The attacker can carry out any of the actions that are applicable to the impact of reflected XSS vulnerabilities.