Stored XSS in the adminlog functionality. in thorsten/phpmyfaq

Valid

Reported on

Feb 16th 2023


Description

There is a stored XSS in the 'adminlog' functionality. E.g. the page http://phpmyfaq.local/admin/?action=adminlog shows (failed) login attempts. If a user with the username '<script>alert(1);</script>' tries to log in, it gets logged and displayed on the adminlog unsanitized.

Proof of Concept

  1. visit http://phpmyfaq.tld/admin/index.php and try to login with <script>alert(1);</script>

after the failed login attempt, visit

  • (as admin) http://phpmyfaq.tld/admin/?action=adminlog to trigger the XSS.

You will notice the script tags being injected:

Invalid user or password.\nLogin: <script>alert(1);</script>\nErrors: Specified login could not be found. 

Fix

sanitize $loggingValue['text'] in https://github.com/thorsten/phpMyFAQ/blob/5bd0f79d085feb255d893a67d2fcdac51f4cd2ec/phpmyfaq/admin/stat.adminlog.php#L123 before serving it to the admin user.

Impact

Taking over the admin account.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 7 months ago
TsarSec modified the report
7 months ago
TsarSec modified the report
7 months ago
TsarSec modified the report
7 months ago
thorsten/phpmyfaq maintainer has acknowledged this report 7 months ago
Thorsten Rinne gave praise 7 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Thorsten Rinne validated this vulnerability 7 months ago
TsarSec has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.12 with commit e01882 7 months ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Mar 31st 2023
Thorsten Rinne published this vulnerability 6 months ago
TsarSec
6 months ago

Researcher


the maintainer has assigned a cⅴe but it doesnt show up in this report @admin

to join this conversation