Reflected Cross-Site Scripting when restoring a backup in thorsten/phpmyfaq


Reported on

May 11th 2023


A XSS vulnerability has been identified when an administrator restores a backup from a file. When using a specially crafted file, it's possible to trigger an error that will be displayed on the web page. Since the error message contains the invalid part of the file, any JavaScript code in the file is executed.

This XSS might be triggered in other places, as long as the attacker has a control over the exception message. Indeed, the issue comes from the exception handler that prints details about the exception.

Proof of Concept

To reproduce the XSS follow these steps:

  1. Login as an administrator
  2. Go to Backup -> Backup and select a file to restore
  3. Select a file containing the following
-- pmf3.2: faqattachment<script>alert(1)</script>267899


Encode the exception message before printing it. It can be done using the htmlspecialchars function.


By exploiting this vulnerability, an attacker can execute JavaScript code in the browser of the administrator, steal its cookie and takeover its account.


The highlighted lines print the exception message, that an attacker may control in some situations.

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 9 months ago
thorsten/phpmyfaq maintainer has acknowledged this report 9 months ago
Thorsten Rinne validated this vulnerability 9 months ago
nalysius has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.2.0-beta.2 with commit 04a018 9 months ago
Thorsten Rinne has been awarded the fix bounty
Error.php#L55-L59 has been validated
This vulnerability has now been published 8 months ago
to join this conversation