{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/phpmyfaq-4.1.1/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["phpMyFAQ 4.1.1"],"_cs_severities":["high"],"_cs_tags":["xss","phpmyfaq","stored-xss"],"_cs_type":"advisory","_cs_vendors":["phpMyFAQ"],"content_html":"\u003cp\u003ephpMyFAQ version 4.1.1 is vulnerable to a stored Cross-Site Scripting (XSS) vulnerability due to improper sanitization of URLs within user comments. An attacker with a registered user account can inject malicious JavaScript code into a comment. This code is then executed when other users, including administrators, view the FAQ or news page containing the comment. The vulnerability stems from the \u003ccode\u003eUtils::parseUrl()\u003c/code\u003e function, which converts URLs in comments to clickable links without proper HTML escaping, allowing for the injection of arbitrary HTML attributes. This can lead to session cookie theft and full administrative account takeover.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker registers a user account on the phpMyFAQ instance.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a FAQ entry or News page where comments are enabled (\u003ccode\u003emain.enableCommentEditor = true\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL containing JavaScript code, such as \u003ccode\u003ehttps://www.evil.com/\u0026quot;onmouseover=\u0026quot;alert(document.cookie)\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the malicious URL as part of a comment on the targeted FAQ entry or News page.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eUtils::parseUrl()\u003c/code\u003e function processes the comment, converting the URL into an HTML \u003ccode\u003e\u0026lt;a\u0026gt;\u003c/code\u003e tag without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe crafted URL, including the injected JavaScript, is stored in the phpMyFAQ database.\u003c/li\u003e\n\u003cli\u003eWhen another user, including an administrator, views the FAQ entry or News page, the malicious JavaScript is executed in their browser.\u003c/li\u003e\n\u003cli\u003eThe attacker steals the user\u0026rsquo;s session cookie, potentially leading to account takeover, especially if the victim is an administrator.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability allows an attacker to inject arbitrary JavaScript code into phpMyFAQ pages. This can lead to session cookie theft, potentially resulting in the takeover of user accounts, including administrative accounts. Given the lack of Content-Security-Policy headers, the impact is magnified. This vulnerability affects all visitors to the page with the malicious comment, and the injected code persists until the comment is manually removed.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of phpMyFAQ that addresses the XSS vulnerability.\u003c/li\u003e\n\u003cli\u003eApply HTML escaping to user-supplied URLs when rendering comments to prevent arbitrary HTML injection.\u003c/li\u003e\n\u003cli\u003eImplement a Content Security Policy (CSP) to restrict the execution of inline JavaScript.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect phpMyFAQ XSS Payload in Comments\u003c/code\u003e to identify potential exploitation attempts (see below).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing the XSS payload \u003ccode\u003ehttps://www.evil.com/\u0026quot;onmouseover=\u0026quot;alert(document.cookie)\u003c/code\u003e (see IOCs).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-phpmyfaq-xss/","summary":"A stored XSS vulnerability in phpMyFAQ version 4.1.1 allows an authenticated user to inject JavaScript code into comments, leading to session cookie theft and potential admin account takeover when other users view the affected FAQ or News page.","title":"phpMyFAQ Stored XSS Vulnerability in Comment Rendering","url":"https://feed.craftedsignal.io/briefs/2024-01-02-phpmyfaq-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — PhpMyFAQ 4.1.1","version":"https://jsonfeed.org/version/1.1"}