Stored XSS on User Management, Category, Add New FAQ, Add News and Configuration in thorsten/phpmyfaq
Reported on
Dec 12th 2022
Description
Improper validation on user input in Add Category module, Add New FAQ module, Add News and edit Configuration in phpMyFAQ v3.1.9 allow user to execute malicious javascript payload which lead to vulnerability Stored XSS
Proof of Concept
- Login to demo instance https://roy.demo.phpmyfaq.de/admin
For User Management
- Go to User -> Add user
- insert payload in field "Real Name" then save
For Add Category module
- Go to Content -> Categories -> Add new top-level category
- Insert payload in field "Entity Title" then Add Category
For Add New FAQ module
- Go to Content -> Add new FAQ
- Insert payload in field "Question" then Save
For FAQ News
- Go to Content -> FAQ News -> Add news
- Insert payload on fields "newheaders", "news", "authorName", "link", "linkTitle" then Add News
For Edit Configuration
Go to Configuration -> Edit Configuration
Insert payload on field "Name of publisher" then Save Configuration
XSS alert will triggered on both admin and user page
Payload
- "><img src=a onerror=alert(document.domain)>
Screenshot POC
- note that i put all screenshot in this google drive folder
Impact
This vulnerability is capable to execute malicious javascript payload in web page, unauthorized access due to stealing cookies
Occurrences
news.php L267-L390
use html escaping function on user input such as htmlspecialchars() function
References
I think its good to combine all those vulnerable endpoint in 1 report
