Stored XSS in Attachment File Name in thorsten/phpmyfaq

Valid

Reported on

Oct 2nd 2023

Description

A stored cross-site scripting vulnerability exists within the file attachment upload functionality.

Replication Steps

0x01. As a user with only the "Edit Record" and "Add Attachments" permissions, the user proceeded to edit a FAQ record and clicked "Add new attachment", as seen in the following screenshot:

user-add-new-attachment

0x02. The user proceeded to select a local file. Using an interception proxy, the file upload request was modified to contain an XSS payload, as seen in the following screenshot:

The filename parameter was set to the following XSS payload:

file.txt\"><svg onload=alert(document.domain)>

0x03. The request was allowed to proceed and the file upload succeeded, as seen in the following screenshot:

0x04. A separate administrative user logged in and navigated to the FAQ record where the file was uploaded; and the script executed, as seen in the following screenshot:

admin-script-execution

The DOM was inspected and the injected <svg> containing the JavaScript was located, as seen in the following screenshot:

Test Environment

Version: phpMyFAQ 4.0.0-dev

git log:

commit cfe7269b349dfba1dd6af1494b44f7963cb2b470 (tag: development-nightly-2023-10-02)
Merge: be343c9f6 67cbe1897
Author: Thorsten Rinne <thorsten@phpmyfaq.de>
Date:   Sun Oct 1 16:48:38 2023 +0200

    Merge branch '3.2'

Impact

This allows an attacker to execute arbitrary client side JavaScript within the context of another user's phpMyFAQ session.

Occurrences

AttachmentHelper.php L48

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 2 months ago

We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back 2 months ago

A thorsten/phpmyfaq maintainer has acknowledged this report 2 months ago

Thorsten Rinne validated this vulnerability 2 months ago

Matt Zajork has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Thorsten Rinne marked this as fixed in 3.2.2 with commit 5310cb 2 months ago

Thorsten Rinne has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Oct 31st 2023

AttachmentHelper.php#L48 has been validated

Thorsten Rinne published this vulnerability a month ago

to join this conversation

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 2 months ago

We have contacted a member of the thorsten/phpmyfaq team and are waiting to hear back 2 months ago

A thorsten/phpmyfaq maintainer has acknowledged this report 2 months ago

Thorsten Rinne validated this vulnerability 2 months ago

Matt Zajork has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Thorsten Rinne marked this as fixed in 3.2.2 with commit 5310cb 2 months ago

Thorsten Rinne has been awarded the fix bounty

This vulnerability has been assigned a CVE

This vulnerability is scheduled to go public on Oct 31st 2023

AttachmentHelper.php#L48 has been validated

Thorsten Rinne published this vulnerability a month ago

to join this conversation