phpMyFAQ Stored Cross-Site Scripting Vulnerability in Search Results

A stored cross-site scripting vulnerability has been identified in phpMyFAQ versions prior to 4.1.2. The issue arises in the search.twig template, where the result.question and result.answerPreview fields are rendered using the raw filter, which disables the default autoescape feature. This allows attackers with FAQ editor privileges to inject HTML-entity-encoded payloads that bypass the html_entity_decode(strip_tags()) processing in SearchController.php. As a result, arbitrary JavaScript can be executed in the context of every visitor's browser, including administrators.

Impact

Exploitation of this vulnerability allows for session cookie theft through JavaScript execution in the victim's browser, leading to account takeover. If an administrator is targeted, it could result in session hijacking. The vulnerability is persistent, affecting all visitors until the injected payload is removed, and could potentially be exploited further by creating new FAQ entries that carry the malicious payload.

Reproduction

To reproduce this vulnerability, an attacker with FAQ editor privileges can inject a payload into a FAQ entry or custom page. This payload should be HTML-entity-encoded to bypass initial sanitization. Once the payload is stored, it can be triggered by searching for keywords that match the poisoned FAQ, causing the search result page to render the payload and execute the JavaScript in the context of the user.

Remediation

Users are advised to update to phpMyFAQ version 4.1.2 or later, where this vulnerability has been patched.