phpMyFAQ SQL Injection Vulnerability in CurrentUser::setTokenData

A SQL injection vulnerability has been identified in phpMyFAQ versions prior to 4.1.2. The issue arises in the CurrentUser::setTokenData method, where OAuth token claims are injected into a SQL UPDATE statement without proper escaping. This flaw allows authenticated attackers to execute arbitrary SQL commands. The vulnerability is particularly exploitable for attackers with Azure AD accounts that include SQL metacharacters in their display names or JWT claims, enabling them to manipulate SQL string literals and execute custom database queries.

Impact

Exploitation of this vulnerability allows authenticated users to execute arbitrary SQL commands on the phpMyFAQ database. This could lead to unauthorized data access, modification or deletion of content, and extraction of sensitive information such as password hashes and session tokens for all users, including administrators.

Reproduction

To reproduce this vulnerability, an Azure AD account must be created with a display name or JWT claim containing SQL metacharacters, such as a single quote or a crafted SQL payload. After logging into a phpMyFAQ instance with Azure AD authentication enabled, the injected claim will be processed by the vulnerable setTokenData method, executing the arbitrary SQL in the database. This can be confirmed by modifying the OAuth token response to include a time-based SQL injection payload, which would cause a delay in the login process if the injection was successful.

Remediation

Update phpMyFAQ to version 4.1.2 or later, and ensure that all interpolated values in the setTokenData method are properly escaped using the database escape function.