phpMyFAQ Stored Cross-Site Scripting Vulnerability in FAQ Creation and Update Endpoints

A stored cross-site scripting vulnerability has been identified in phpMyFAQ versions prior to 4.1.2. This issue resides in the FAQ creation and update endpoints, where sanitization is bypassed through a cycle of encoding and decoding. The vulnerability allows authenticated attackers with FAQ_ADD permission to inject malicious script tags into the question or answer parameters. These scripts execute in the browsers of all visitors when the FAQ content is displayed using the raw Twig filter.

Impact

Exploitation of this vulnerability allows for session hijacking, as an attacker can steal cookies from any user, including administrators, who views the affected FAQ. This could lead to a full account takeover. Additionally, the injected script could be used for phishing attacks or to propagate a worm-like attack by capturing an admin's session and creating more malicious FAQs.

Reproduction

To reproduce this vulnerability, an authenticated user with FAQ_ADD permission must inject a script tag into the answer parameter while creating or updating an FAQ. This can be done by sending a POST request to the FAQ creation or update endpoint with the malicious script included in the answer or question fields. After the FAQ is saved, the script will execute when the FAQ is viewed by any visitor.

Remediation

Users are advised to update phpMyFAQ to version 4.1.2 or later. For a more robust solution, replace the current HTML sanitization process with a library that can properly sanitize HTML at the DOM level, such as HTML Purifier or Symfony's HtmlSanitizer component.