Stored XSS in the adminlog functionality. in thorsten/phpmyfaq
Valid
Reported on
Feb 16th 2023
Description
There is a stored XSS in the 'adminlog' functionality. E.g. the page http://phpmyfaq.local/admin/?action=adminlog shows (failed) login attempts. If a user with the username '<script>alert(1);</script>' tries to log in, it gets logged and displayed on the adminlog unsanitized.
Proof of Concept
- visit http://phpmyfaq.tld/admin/index.php and try to login with
<script>alert(1);</script>
after the failed login attempt, visit
- (as admin) http://phpmyfaq.tld/admin/?action=adminlog to trigger the XSS.
You will notice the script tags being injected:
Invalid user or password.\nLogin: <script>alert(1);</script>\nErrors: Specified login could not be found.
Fix
sanitize $loggingValue['text'] in https://github.com/thorsten/phpMyFAQ/blob/5bd0f79d085feb255d893a67d2fcdac51f4cd2ec/phpmyfaq/admin/stat.adminlog.php#L123 before serving it to the admin user.
Impact
Taking over the admin account.
We are processing your report and will contact the
thorsten/phpmyfaq
team within 24 hours.
7 months ago
TsarSec modified the report
7 months ago
TsarSec modified the report
7 months ago
TsarSec modified the report
7 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
The researcher's credibility has increased: +7
Thorsten Rinne
has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on
Mar 31st 2023
the maintainer has assigned a cⅴe but it doesnt show up in this report @admin
to join this conversation