Reflected Cross-Site Scripting when restoring a backup in thorsten/phpmyfaq
May 11th 2023
This XSS might be triggered in other places, as long as the attacker has a control over the exception message. Indeed, the issue comes from the exception handler that prints details about the exception.
Proof of Concept
To reproduce the XSS follow these steps:
- Login as an administrator
- Go to Backup -> Backup and select a file to restore
- Select a file containing the following
-- pmf3.2: faqattachment<script>alert(1)</script>267899
Encode the exception message before printing it. It can be done using the htmlspecialchars function.