Security Advisory 2024-03-25

XSS, phishing and spoofing vulnerabilities in phpMyFAQ

Issued on:

2024-03-25

Software:

phpMyFAQ <= 3.2.5

Risk:

Medium

Platforms:

all

The phpMyFAQ Team has learned of multiple security issues that'd been discovered in phpMyFAQ 3.2.5 and

earlier. phpMyFAQ contains cross-site scripting (XSS), SQL injection and bypass vulnerabilities.

Description

phpMyFAQ doesn't implement sufficient checks to avoid a Path Traversal in attachments that allows attackers with admin

rights to upload malicious files to other locations of the web root. An attacker with admin privileges can upload an

attachment containing JS code without an extension, and the application will render it as HTML, which allows for XSS

attacks. It is possible for unauthenticated users to inject HTML code to the page which might affect other users.

Also, it requires that adding new FAQs is allowed for guests and that the admin doesn't check the content of a newly

added FAQ. A PostgreSQL SQL injection vulnerability has been discovered in the admin section when modifying records

due to improper escaping of the email address. By manipulating the news parameter in a POST request, an attacker with

admin rights can inject malicious JavaScript code. The category image upload function in phpmyfaq is vulnerable to

manipulation of the Content-type and lang parameters, allowing attackers with admin rights to upload malicious files

with a .php extension, potentially leading to remote code execution (RCE) on the system. The email field in phpMyFAQ's

user control panel page is vulnerable to stored XSS attacks due to the inadequacy of PHP's FILTER_VALIDATE_EMAIL

function, which only validates the email format, not its content. A PostgreSQL SQL injection vulnerability has been

discovered in the "Add News" functionality due to improper escaping of the email address.

Solution

The phpMyFAQ Team has released the new phpMyFAQ version 3.2.6, which fixes these vulnerabilities. All

users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.

Workaround

There's no workaround except installing phpMyFAQ 3.2.6.

References

• Path Traversal in Attachments

• Stored XSS at File Attachments

• Stored HTML Injection at contentLink

• SQL injections at insertentry & saveentry

• Stored XSS at FAQ News Content

• File Upload Bypass at Category Image Leads to RCE

• Stored XSS at user email

• SQL Injection at "Save News"

Thanks

The phpMyFAQ team would like to thank @kevinnivekkevin for the responsible disclosures of these vulnerabilities.