Headline
CVE-2022-3608: Stored XSS and possible RCE/LFI in case of misconfiguration in phpmyfaq
Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.0-alpha.
Description
phpmyfaq has a feature to restore from a backup the entire application. An attacker with admin grant can export the configuration and re-upload the same file bypassing all the backend sanitization and controls.
Proof of Concept XSS
- login as admin
- go to backup page
- Create a backup and download it
- Edit or add some query to file
- in this case i edited the content of a category in order to fire an XSS on the admin panel or homepage
- navigate some page and see the xss (homepage, list categories etc).
PoC-Payload:
#MISCONF
In case of misconfiguration of the SQL service user grant. An attacker could abuse of that by reading/write sensitive file.
Example (read file grant) 1:
Read ssh keys, or passwd etc…
SELECT LOAD_FILE(‘/etc/passwd’)
Example (write file grant) 2:
write a php shell file in the root of the server web (the path is discovered from the system information-> Server Document Root)
SELECT 'some php code ' INTO dumpfile ‘/sitepath/somefile.php’
Impact
This vulnerability allow an attacker to take control of the entire database and in some cases read arbitrary file or execute shell commands by writing malicious php file.
Related news
phpMyFAQ versions 3.1.7 and prior are vulnerable to stored cross-site scripting (XSS). A patch is available on the `main` branch of the repository and anticipated to be part of version 3.2.0-alpha.