phpMyFAQ 2.9.0 Stored XSS

Datetime:2016-08-22 21:58:17          Topic: XSS Vulnerability           Share

09 Jun 2016

Homepage:

http://www.phpmyfaq.de/

Description:

PHP filter_input() function with FILTER_VALIDATE_URL flag is used to validate url inside savefaq functionality.

But this function doesn’t protect against XSS .

File: phpmyfaq\ajaxservice.php

// I skip unecessary lines
$contentlink = PMF_Filter::filterInput(INPUT_POST, 'contentlink', FILTER_VALIDATE_URL);
if (PMF_String::substr($contentlink, 7) != '') {
    $answer = sprintf(
        '%s<br /><div id="newFAQContentLink">%s<a href="http://%s" target="_blank">%s</a></div>',
        $answer,
        $PMF_LANG['msgInfo'],
        PMF_String::substr($contentlink, 7),
        $contentlink
    );
}
$newData = [
    'lang' => ($isTranslation === true ? $newLanguage : $languageCode),
    'thema' => $question,
    'active' => ($autoActivate ? FAQ_SQL_ACTIVE_YES : FAQ_SQL_ACTIVE_NO),
    'sticky' => 0,
    'content' => $answer,
    'keywords' => $keywords,
    'author' => $name,
    'email' => $email,
    'comment' => 'y',
    'date' => date('YmdHis'),
    'dateStart' => '00000000000000',
    'dateEnd' => '99991231235959',
    'linkState' => '',
    'linkDateCheck' => 0
];

Proof of Concept:

By default every user can propose faq entries.

When admin activate article using http://phpmyfaq/admin/?action=view url or records.defaultActivation option is enabled, XSS will be visible on entry page:

http://phpmyfaq/index.php?action=artikel&amp;cat=%cat_id%&amp;id=%article_id%&amp;artlang=pl

For exploitation use folowing url inside Link for this FAQ field:

http://example.com/"><script>alert("xss")</script>

Timeline:

  • 23-05-2016: Discovered
  • 23-05-2016: Vendor notified
  • 31-05-2016: Version 2.9.1 released, issue resolved




About List