Attack Chain

1. An attacker registers a user account on the phpMyFAQ instance.
2. The attacker identifies a FAQ entry or News page where comments are enabled (main.enableCommentEditor = true).
3. The attacker crafts a malicious URL containing JavaScript code, such as https://www.evil.com/"onmouseover="alert(document.cookie).
4. The attacker submits the malicious URL as part of a comment on the targeted FAQ entry or News page.
5. The Utils::parseUrl() function processes the comment, converting the URL into an HTML <a> tag without proper sanitization.
6. The crafted URL, including the injected JavaScript, is stored in the phpMyFAQ database.
7. When another user, including an administrator, views the FAQ entry or News page, the malicious JavaScript is executed in their browser.
8. The attacker steals the user’s session cookie, potentially leading to account takeover, especially if the victim is an administrator.

Impact

Successful exploitation of this stored XSS vulnerability allows an attacker to inject arbitrary JavaScript code into phpMyFAQ pages. This can lead to session cookie theft, potentially resulting in the takeover of user accounts, including administrative accounts. Given the lack of Content-Security-Policy headers, the impact is magnified. This vulnerability affects all visitors to the page with the malicious comment, and the injected code persists until the comment is manually removed.

Recommendation

• Upgrade to a patched version of phpMyFAQ that addresses the XSS vulnerability.
• Apply HTML escaping to user-supplied URLs when rendering comments to prevent arbitrary HTML injection.
• Implement a Content Security Policy (CSP) to restrict the execution of inline JavaScript.
• Deploy the Sigma rule Detect phpMyFAQ XSS Payload in Comments to identify potential exploitation attempts (see below).
• Monitor web server logs for requests containing the XSS payload https://www.evil.com/"onmouseover="alert(document.cookie) (see IOCs).