File Upload Vulnerability in Categories in thorsten/phpmyfaq

Valid

Reported on

Aug 31st 2023


Description

I noticed, your website is very secure.

But you overlooked a flaw File Upload.

Proof of Concept

Detail:

1 .Login vs admin demo account and access admin page.

2 .Create a category titled "test" and upload a file image.

3 .Using burp suite edit Content-type: image/html and insert payload at the end of the content:

    <script>window.location.href = 'https://www.youtube.com'</script>

4 .Go back to the home page, save image as ".html"

5 .Open the image file, detect navigate to the YouTube website

Video Poc

https://drive.google.com/file/d/1o05oFZXNDVLnpF9e86R9DAKXfYILHKR8/view?usp=sharing

Impact

This security vulnerability has the potential to redirect many users to other malicious websites, insert malicious code...

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 6 months ago
HaiNguyen modified the report
6 months ago
thorsten/phpmyfaq maintainer has acknowledged this report 6 months ago
Thorsten Rinne
6 months ago

Maintainer


Why should a user download the image, change the extension of the downloaded file to "html" and open that file in the browser?

HaiNguyen
6 months ago

Researcher


Hi ,attackers use social engineering, trick users into downloading images, change the file extension to html. Thereby directing user access to their malicious website.

Thorsten Rinne validated this vulnerability 6 months ago
hainguyen0207 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.8 with commit abf524 6 months ago
Thorsten Rinne has been awarded the fix bounty
HaiNguyen
6 months ago

Researcher


Hi @Thorsten Rinne, can you specify the CVE for this report. I really need it for work. Thank you very much.

Thorsten Rinne
6 months ago

Maintainer


@admin could you please fix that, sorry

HaiNguyen
6 months ago

Researcher


@admin,Please help me with this.

HaiNguyen
6 months ago

Researcher


@Thorsten Rinne, Thank you very much.

Ben Harvie
5 months ago

Admin


Hi, a CVE will now be assigned once this report is published. Thanks!

HaiNguyen
5 months ago

Researcher


oke, thank you

This vulnerability has now been published 5 months ago
to join this conversation