phpMyFAQ 2.9.0 Stored XSS

Homepage:

http://www.phpmyfaq.de/

Description:

PHP filter_input() function with FILTER_VALIDATE_URL flag is used to validate url inside savefaq functionality.

But this function doesn’t protect against XSS.

File: phpmyfaq\ajaxservice.php

// I skip unecessary lines
$contentlink = PMF_Filter::filterInput(INPUT_POST, 'contentlink', FILTER_VALIDATE_URL);
if (PMF_String::substr($contentlink, 7) != '') {
    $answer = sprintf(
        '%s<br /><div id="newFAQContentLink">%s<a href="http://%s" target="_blank">%s</a></div>',
        $answer,
        $PMF_LANG['msgInfo'],
        PMF_String::substr($contentlink, 7),
        $contentlink
    );
}
$newData = [
    'lang' => ($isTranslation === true ? $newLanguage : $languageCode),
    'thema' => $question,
    'active' => ($autoActivate ? FAQ_SQL_ACTIVE_YES : FAQ_SQL_ACTIVE_NO),
    'sticky' => 0,
    'content' => $answer,
    'keywords' => $keywords,
    'author' => $name,
    'email' => $email,
    'comment' => 'y',
    'date' => date('YmdHis'),
    'dateStart' => '00000000000000',
    'dateEnd' => '99991231235959',
    'linkState' => '',
    'linkDateCheck' => 0
];

Proof of Concept:

By default every user can propose faq entries.

When admin activate article using http://phpmyfaq/admin/?action=view url or records.defaultActivation option is enabled, XSS will be visible on entry page:

http://phpmyfaq/index.php?action=artikel&cat=%cat_id%&id=%article_id%&artlang=pl

For exploitation use folowing url inside Link for this FAQ field:

http://example.com/"><script>alert("xss")</script>

Timeline: