Lucene search
Mike9938F0F3635-9D81-4C55-9826-2BA955C3A850HistoryOct 03, 2022 - 11:10 a.m.
Stored XSS and possible RCE/LFI in case of misconfiguration
2022-10-0311:10:31
mike993
www.huntr.dev
100
phpmyfaq
backup
admin
configuration
stored xss
rce
lfi
misconfiguration
sql service
sensitive file
bug bounty
EPSS
0.001
Percentile
40.5%
Description
phpmyfaq has a feature to restore from a backup the entire application. An attacker with admin grant can export the configuration and re-upload the same file bypassing all the backend sanitization and controls.
Proof of Concept XSS
-
- login as admin
-
- go to backup page
-
- Create a backup and download it
-
- Edit or add some query to file
-
- in this case i edited the content of a category in order to fire an XSS on the admin panel or homepage
-
- navigate some page and see the xss (homepage, list categories etc).
PoC-Payload:
#MISCONF
In case of misconfiguration of the SQL service user grant. An attacker could abuse of that by reading/write sensitive file.
Example (read file grant) 1:
- Read ssh keys, or passwd etc…
SELECT LOAD_FILE('/etc/passwd')
Example (write file grant) 2:
- write a php shell file in the root of the server web (the path is discovered from the system information-> Server Document Root)
SELECT 'some php code ' INTO dumpfile '/sitepath/somefile.php'
Related
nvd
nvd
CVE-2022-3608
2022-10-19 13:15:08
cvelist
cvelist
CVE-2022-3608 Cross-site Scripting (XSS) - Stored in thorsten/phpmyfaq
2022-10-19 00:00:00
openvas
openvas
phpMyFAQ < 3.2.0 XSS Vulnerability
2022-11-03 00:00:00
github
github
phpMyFAQ vulnerable to Cross-site Scripting
2022-10-19 19:00:24
prion
prion
Cross site scripting
2022-10-19 13:15:00
osv
osv
phpMyFAQ vulnerable to Cross-site Scripting
2022-10-19 19:00:24
CVE-2022-3608
2022-10-19 13:15:08
cve
cve
CVE-2022-3608
2022-10-19 13:15:08
veracode
veracode
Cross-Site Scripting (XSS)
2022-10-20 04:29:37