Stored HTML Injection in thorsten/phpmyfaq

Valid

Reported on

Jan 22nd 2023

Dear Ladies and Gentlemen,

First of all thank you for your time and effort reading my Report.

While doing the Penetration Test i was able to identify a stored XSS in the Username.

When an admin or another Users try to set up a new account and set his name to <script>alert(‘1’)</script> the Javascript will run and will be stored for admin and all other Users.

The Process of the Vulnerability:

  1. Login
  2. Go to https://roy.demo.phpmyfaq.de/admin/?action=user&user_action=listallusers
  3. Create a new User or change his username with <script>alert(‘1’)</script>
  4. Refresh the Page from any Account admin or normal User the Code will run Example for the HTML Code: <script>alert(‘1’)</script>

Mitigation: Please do not allow Javascript Code to run and never trust User-Input.

At the End I want to thank you for your time and effort and hope hearing from you soon.

Best regards Ahmed Hassan

Impact

Dear Ladies and Gentlemen,

First of all thank you for your time and effort reading my Report.

While doing the Penetration Test i was able to identify a stored XSS in the Username.

When an admin or another Users try to set up a new account and set his name to <script>alert(‘1’)</script> the Javascript will run and will be stored for admin and all other Users.

The Process of the Vulnerability:

  1. Login
  2. Go to https://roy.demo.phpmyfaq.de/admin/?action=user&user_action=listallusers
  3. Create a new User or change his username with <script>alert(‘1’)</script>
  4. Refresh the Page from any Account admin or normal User the Code will run Example for the HTML Code: <script>alert(‘1’)</script>

Mitigation: Please do not allow Javascript Code to run and never trust User-Input.

At the End I want to thank you for your time and effort and hope hearing from you soon.

Best regards Ahmed Hassan

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 2 months ago
We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back 2 months ago
thorsten/phpmyfaq maintainer has acknowledged this report 2 months ago
Thorsten Rinne gave praise 2 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Thorsten Rinne validated this vulnerability 2 months ago
ahmedvienna has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.11 with commit edf0f6 2 months ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Feb 28th 2023
ahmedvienna
2 months ago

Researcher

Good Morning,

I hope you are okay. I wanted to mention that my Brother Josef Hassan (mohammedzidan99@gmail.com) was part of identifying this Vulnerability.

Therefore, I will be more than happy if you can put his Name and (E-Mail Address as a Security Researcher with me.

I would appreciate hearing from you soon and wish you a wonderful day.

Best regards Ahmed Hassan

Thorsten Rinne published this vulnerability a month ago
to join this conversation