phpMyFAQ 2.9.0 – Persistent Cross-Site Scripting

• Exploit Database
• 38 阅读

• 作者： Kacper Szurek
  日期： 2016-06-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39913/

• # Exploit Title: phpMyFAQ 2.9.0 Stored XSS
  # Date: 09-06-2016
  # Software Link: http://www.phpmyfaq.de/
  # Exploit Author: Kacper Szurek
  # Contact: http://twitter.com/KacperSzurek
  # Website: http://security.szurek.pl/
  # Category: webapps
   
  1. Description
   
  PHP `filter_input()` function with `FILTER_VALIDATE_URL` flag is used to validate url inside `savefaq` functionality.
  
  But this function doesn’t protect against XSS.
  
  http://security.szurek.pl/phpmyfaq-290-stored-xss.html
  
  2. Proof of Concept
  
  By default every user can propose faq entries.
  
  When admin activate article using http://phpmyfaq/admin/?action=view url or records.defaultActivation option is enabled, XSS will be visible on entry page:
  
  http://phpmyfaq/index.php?action=artikel&cat=%cat_id%&id=%article_id%&artlang=pl
  
  For exploitation use folowing url inside Link for this FAQ field:
  
  http://example.com/"><script>alert("xss")</script>
  
  3. Solution:
   
  Update to version 2.9.1