Stored XSS in Attachment File Name in thorsten/phpmyfaq
Oct 2nd 2023
A stored cross-site scripting vulnerability exists within the file attachment upload functionality.
0x01. As a user with only the "Edit Record" and "Add Attachments" permissions, the user proceeded to edit a FAQ record and clicked "Add new attachment", as seen in the following screenshot:
0x02. The user proceeded to select a local file. Using an interception proxy, the file upload request was modified to contain an XSS payload, as seen in the following screenshot:
filename parameter was set to the following XSS payload:
0x03. The request was allowed to proceed and the file upload succeeded, as seen in the following screenshot:
0x04. A separate administrative user logged in and navigated to the FAQ record where the file was uploaded; and the script executed, as seen in the following screenshot:
The DOM was inspected and the injected
Version: phpMyFAQ 4.0.0-dev
commit cfe7269b349dfba1dd6af1494b44f7963cb2b470 (tag: development-nightly-2023-10-02) Merge: be343c9f6 67cbe1897 Author: Thorsten Rinne <firstname.lastname@example.org> Date: Sun Oct 1 16:48:38 2023 +0200 Merge branch '3.2'