phpMyFAQ Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting (XSS) vulnerability has been identified in phpMyFAQ versions prior to 4.1.1. The issue arises from a regex bypass in the 'Filter::removeAttributes()' function, which fails to properly sanitize unquoted or single-quoted event handler attributes. This vulnerability allows an attacker to inject malicious scripts that are executed when the FAQ page is viewed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of users viewing the affected FAQ page. This could lead to session hijacking, phishing, propagation of self-replicating XSS worms, or distribution of malware.

Reproduction

To reproduce this vulnerability, an authenticated admin can create a FAQ entry containing an XSS payload, such as an image tag with an unquoted event handler attribute, like 'onerror'. After the FAQ is published, any user visiting the page will trigger the XSS by executing the injected script.

Remediation

Users are advised to update phpMyFAQ to version 4.1.1 or later, where this vulnerability has been patched.