phpMyFAQ Stored Cross-Site Scripting Vulnerability in Comment Parsing

A stored cross-site scripting vulnerability has been identified in phpMyFAQ versions prior to 4.1.2. The issue resides in the Utils::parseUrl() function, which processes URLs in comments by converting them into clickable links. This vulnerability allows authenticated users to inject JavaScript into comments by using malformed URLs with unescaped quotes. When other users, including administrators, view the affected FAQ pages, the injected script executes. This exploitation can lead to the theft of admin session cookies, allowing for a complete takeover of the admin account.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts execute for all users viewing the affected page, including admins. This leads to the theft of admin session cookies and a full takeover of the admin account.

Reproduction

To reproduce this vulnerability, log in as a registered user with access to the comment editor. Ensure that the 'main.enableCommentEditor' setting is turned on. Then, navigate to a FAQ entry that allows comments. Submit a comment containing a crafted URL with an unescaped quote, such as 'https://www.evil.com/'onmouseover='alert(document.cookie)'. Once the comment is posted, any user who views the FAQ page and hovers over the link will trigger the JavaScript payload, stealing the session cookie. This can also be done through the admin comments panel.

Remediation

Users can update to phpMyFAQ version 4.1.2 or later to address this vulnerability.