PHPMyFAQ 2.9.8 - Cross-Site Scripting (1)

2017-09-2100:00:00

Ishaq Mohammed

www.exploit-db.com

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

4.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

AI Score

5.8

Confidence

High

EPSS

0.007

Percentile

80.1%

JSON

# Exploit Title: phpMyFAQ 2.9.8 Stored XSS
# Vendor Homepage: http://www.phpmyfaq.de/
# Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip
# Exploit Author: Ishaq Mohammed
# Contact: https://twitter.com/security_prince
# Website: https://about.me/security-prince
# Category: webapps
# CVE: CVE-2017-14618

1. Description

Cross-site scripting (XSS) vulnerability in inc/PMF/Faq.php in phpMyFAQ
through 2.9.8 allows remote attackers to inject arbitrary web script or
HTML via the Questions field in an "Add New FAQ" action.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14618
https://securityprince.blogspot.fr/2017/10/cve-2017-14618-phpmyfaq-298-cross-site.html

2. Proof of Concept

Steps to Reproduce:

   1. Open the affected link "
   http://localhost/phpmyfaq/admin/?action=editentry" with logged in user
   with administrator privileges
   2. Enter the <a onmouseover=alert(document.cookie)>xss link</a> in the
   “Questions”
   3. Save the FAQ
   4. Login using any other user or simply click on the phpMyFAQ on the
   top-right hand side of the web portal
   5. Click on the latest FAQ added
   6. Hover around the name "xss link"


3. Solution:

This vulnerability will be fixed in phpMyFAQ 2.9.9