Lucene search

Mattzajork5C09B32E-A041-4A1E-A277-EB3E80967DF0

HistoryOct 02, 2023 - 7:37 p.m.

Stored XSS in Attachment File Name

2023-10-0219:37:09

mattzajork

www.huntr.dev

stored xss

file attachment

tampering

script execution

vulnerability

phpmyfaq

AI Score

5.5

Confidence

High

EPSS

Percentile

14.0%

JSON

Description

A stored cross-site scripting vulnerability exists within the file attachment upload functionality.

Replication Steps

0x01. As a user with only the “Edit Record” and “Add Attachments” permissions, the user proceeded to edit a FAQ record and clicked “Add new attachment”, as seen in the following screenshot:

user-add-new-attachment

0x02. The user proceeded to select a local file. Using an interception proxy, the file upload request was modified to contain an XSS payload, as seen in the following screenshot:

The filename parameter was set to the following XSS payload:

file.txt\"&gt;&lt;svg onload=alert(document.domain)&gt;

0x03. The request was allowed to proceed and the file upload succeeded, as seen in the following screenshot:

0x04. A separate administrative user logged in and navigated to the FAQ record where the file was uploaded; and the script executed, as seen in the following screenshot:

admin-script-execution

The DOM was inspected and the injected <svg> containing the JavaScript was located, as seen in the following screenshot:

Test Environment

Version: phpMyFAQ 4.0.0-dev

git log:

commit cfe7269b349dfba1dd6af1494b44f7963cb2b470 (tag: development-nightly-2023-10-02)
Merge: be343c9f6 67cbe1897
Author: Thorsten Rinne &lt;thorsten@phpmyfaq.de&gt;
Date:   Sun Oct 1 16:48:38 2023 +0200

    Merge branch '3.2'