Stored Xss in Question field due to lack of sanitization in Link.php in thorsten/phpmyfaq
Reported on
Jul 7th 2023
Description
Stored XSS (Cross-Site Scripting) is a type of web application vulnerability that allows an attacker to inject malicious scripts into a website or web application. Unlike reflected XSS, where the malicious script is embedded in a URL and executed immediately, stored XSS involves the persistence of the malicious script on the target website.
Proof of Concept
1. Login as admin.
2. Go to Content -> Edit or Add FAQs -> in Question field, enter XSS payload like "><h1 onmouseover=alert(1)>XSS</h1>
3. Go to Category page that has xss payload FAQs and XSS will trigger.
#POC https://drive.google.com/file/d/1thIMmEOUPSDTThO8eouvnYnBtAn_oOiW/view?usp=sharing
Impact
Phishing, Steal tokens and session, make admin do whatever attacker wants (add new admin or reset admin pw), distribute malware, etc..