Stored XSS on User Management, Category, Add New FAQ, Add News and Configuration in thorsten/phpmyfaq

Valid

Reported on

Dec 12th 2022


Description

Improper validation on user input in Add Category module, Add New FAQ module, Add News and edit Configuration in phpMyFAQ v3.1.9 allow user to execute malicious javascript payload which lead to vulnerability Stored XSS

Proof of Concept

  • Login to demo instance https://roy.demo.phpmyfaq.de/admin

For User Management

  • Go to User -> Add user
  • insert payload in field "Real Name" then save

For Add Category module

  • Go to Content -> Categories -> Add new top-level category
  • Insert payload in field "Entity Title" then Add Category

For Add New FAQ module

  • Go to Content -> Add new FAQ
  • Insert payload in field "Question" then Save

For FAQ News

  • Go to Content -> FAQ News -> Add news
  • Insert payload on fields "newheaders", "news", "authorName", "link", "linkTitle" then Add News

For Edit Configuration

  • Go to Configuration -> Edit Configuration

  • Insert payload on field "Name of publisher" then Save Configuration

  • XSS alert will triggered on both admin and user page

Payload

  • "><img src=a onerror=alert(document.domain)>

Screenshot POC

  • note that i put all screenshot in this google drive folder

Impact

This vulnerability is capable to execute malicious javascript payload in web page, unauthorized access due to stealing cookies

Occurrences

use html escaping function on user input such as htmlspecialchars() function

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 9 months ago
din modified the report
9 months ago
din
9 months ago

Researcher


I think its good to combine all those vulnerable endpoint in 1 report

din modified the report
9 months ago
din modified the report
9 months ago
din modified the report
9 months ago
thorsten/phpmyfaq maintainer has acknowledged this report 9 months ago
din modified the report
9 months ago
Thorsten Rinne gave praise 9 months ago
Thanks, but it's already fixed for the 3.1.10 release: https://github.com/thorsten/phpmyfaq/commit/1123c0872314fa68d7d0d8136939f62270fb4b7b
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
din modified the report
9 months ago
Thorsten Rinne validated this vulnerability 9 months ago
din has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.10 with commit 1123c0 9 months ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Jan 31st 2023
news.php#L267-L390 has been validated
din
9 months ago

Researcher


thanks sir for validate this findings

Thorsten Rinne gave praise 8 months ago
Thanks, but it's already fixed for the 3.1.10 release: https://github.com/thorsten/phpmyfaq/commit/1123c0872314fa68d7d0d8136939f62270fb4b7b
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
din
8 months ago

Researcher


thanks update. will test on the latest version

Thorsten Rinne published this vulnerability 8 months ago
to join this conversation