phpMyFAQ Wildcard Injection Vulnerability in Search Function Allows Information Disclosure

A wildcard injection vulnerability has been identified in phpMyFAQ versions prior to 4.1.1. The issue arises in the searchCustomPages() method of Search.php, where real_escape_string() is used to sanitize search terms before they are added to SQL LIKE clauses. However, this function does not escape SQL LIKE metacharacters such as % and _, which can be exploited by an unauthenticated attacker. By injecting these wildcards into search queries, it is possible to match unintended records and access content that should not be disclosed, leading to unauthorized information exposure.

Impact

Exploitation of this vulnerability allows unauthenticated users to bypass search filters and access all custom page content, regardless of the intended search term, resulting in unauthorized information disclosure.

Reproduction

To reproduce this vulnerability, navigate to the phpMyFAQ search page, which is accessible to unauthenticated users. Submit a search query that includes SQL LIKE metacharacters, such as '_%_' or 'te%t'. The search will return unintended results by matching records based on the injected wildcards, effectively bypassing normal search term restrictions.

Remediation

Users can update to phpMyFAQ version 4.1.1 or later, where this vulnerability has been patched. In version 4.1.1, the searchCustomPages() method has been updated to properly escape SQL LIKE metacharacters before executing the search.