PHP filter_input() function with FILTER_VALIDATE_URL flag is used to validate url inside savefaq functionality.
But this function doesn't protect against XSS.
File: phpmyfaq\ajaxservice.php
// I skip unecessary lines
$contentlink = PMF_Filter::filterInput(INPUT_POST, 'contentlink', FILTER_VALIDATE_URL);
if (PMF_String::substr($contentlink, 7) != '') {
$answer = sprintf(
'%s<br /><div id="newFAQContentLink">%s<a href="http://%s" target="_blank">%s</a></div>',
$answer,
$PMF_LANG['msgInfo'],
PMF_String::substr($contentlink, 7),
$contentlink
);
}
$newData = [
'lang' => ($isTranslation === true ? $newLanguage : $languageCode),
'thema' => $question,
'active' => ($autoActivate ? FAQ_SQL_ACTIVE_YES : FAQ_SQL_ACTIVE_NO),
'sticky' => 0,
'content' => $answer,
'keywords' => $keywords,
'author' => $name,
'email' => $email,
'comment' => 'y',
'date' => date('YmdHis'),
'dateStart' => '00000000000000',
'dateEnd' => '99991231235959',
'linkState' => '',
'linkDateCheck' => 0
];Proof of Concept
By default every user can propose faq entries.
When admin activate article using http://phpmyfaq/admin/?action=view url or records.defaultActivation option is enabled, XSS will be visible on entry page:
http://phpmyfaq/index.php?action=artikel&cat=%cat_id%&id=%article_id%&artlang=pl
For exploitation use folowing url inside Link for this FAQ field:
http://example.com/"><script>alert("xss")</script>Timeline
- 23-05-2016: Discovered
- 23-05-2016: Vendor notified
- 31-05-2016: Version 2.9.1 released, issue resolved
