phpMyFAQ Stored Cross-Site Scripting Vulnerability in SvgSanitizer

A stored cross-site scripting vulnerability has been identified in phpMyFAQ versions prior to 4.1.2. The issue arises in the SvgSanitizer's decodeAllEntities() method, which restricts recursive entity decoding to five iterations. This limitation allows authenticated users with FAQ_EDIT permission to upload malicious SVG files. By deeply nesting ampersand encodings around numeric HTML entities, attackers can bypass the sanitization process and create 'javascript:' URLs that execute arbitrary JavaScript when clicked by other users viewing the uploaded SVG.

Impact

Exploitation of this vulnerability leads to stored cross-site scripting, where uploaded SVG files execute JavaScript in the context of the viewer. This could allow an attacker to hijack session cookies and CSRF tokens from other administrators or escalate privileges by executing JavaScript as a super-admin.

Reproduction

To reproduce this vulnerability, upload an SVG file containing a 'javascript:' link with each character of 'javascript' entity-encoded with five levels of '&' nesting around numeric HTML entities. Use an admin account with FAQ_EDIT permission to upload the SVG via the admin image upload endpoint. After uploading, access the SVG file directly, which will trigger the JavaScript execution.

Remediation

Users are advised to update phpMyFAQ to version 4.1.2 or later, where this vulnerability has been patched.