Stored XSS on Configuration Version in thorsten/phpmyfaq

Valid

Reported on

Feb 12th 2023

Description

In a form version that appears to have no validation, it means that the website or application is not properly checking user inputs for malicious code before storing it in the database. This lack of validation allows an attacker to inject their own malicious script, which can then be executed by other users who access the affected page. This can lead to sensitive information being stolen, unauthorized actions being taken, and a variety of other security risks.

Proof of Concept

1.Go to https://roy.demo.phpmyfaq.de/admin/?action=config
2.Save Configuration and intercept
3.Edit main.currentVersion with xss payload </script><script>alert('1337')</</script><script>alert('1337')</script>script>
4.Forward request

https://drive.google.com/file/d/1Ws22NhQx3z68fUEQ-dcRelMSlFOTUorG/view?usp=share_link This xss will trigger in every domain that show version of phpmyfaq

Impact

XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve disclosure of the user's session cookie, allowing an attacker to hijack the user's session and take over the account.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 2 months ago

A thorsten/phpmyfaq maintainer has acknowledged this report 2 months ago

Thorsten Rinne

commented 2 months ago

Maintainer

@isdkrisna Why should someone with admin permission use this weak way of harming the users?

isdkrisna

commented 2 months ago

Researcher

i thought that the version couldn't be edited, so I considered it a potential vulnerability. If you are not concerned about this bug/vulnerability, please mark it as informative.

Thorsten Rinne gave praise 2 months ago

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Thorsten Rinne validated this vulnerability 2 months ago

isdkrisna has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Thorsten Rinne marked this as fixed in 3.1.12 with commit 215657 2 months ago

Thorsten Rinne has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Mar 31st 2023

Thorsten Rinne published this vulnerability 18 hours ago

to join this conversation

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 2 months ago

A thorsten/phpmyfaq maintainer has acknowledged this report 2 months ago

Thorsten Rinne

commented 2 months ago

Maintainer

@isdkrisna Why should someone with admin permission use this weak way of harming the users?

isdkrisna

commented 2 months ago

Researcher

i thought that the version couldn't be edited, so I considered it a potential vulnerability. If you are not concerned about this bug/vulnerability, please mark it as informative.

Thorsten Rinne gave praise 2 months ago

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

Thorsten Rinne validated this vulnerability 2 months ago

isdkrisna has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Thorsten Rinne marked this as fixed in 3.1.12 with commit 215657 2 months ago

Thorsten Rinne has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Mar 31st 2023

Thorsten Rinne published this vulnerability 18 hours ago

to join this conversation