{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/phpmyfaq/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["phpMyFAQ"],"_cs_severities":["critical"],"_cs_tags":["sql-injection","unauthenticated","web-application"],"_cs_type":"advisory","_cs_vendors":["phpMyFAQ"],"content_html":"\u003cp\u003ephpMyFAQ versions 4.1.1 and earlier are vulnerable to unauthenticated SQL injection in the BuiltinCaptcha component. The vulnerability stems from the improper handling of the User-Agent header and client IP address in the \u003ccode\u003egarbageCollector()\u003c/code\u003e and \u003ccode\u003esaveCaptcha()\u003c/code\u003e methods within \u003ccode\u003ephpmyfaq/src/phpMyFAQ/Captcha/BuiltinCaptcha.php\u003c/code\u003e. These methods fail to sanitize user-supplied data before incorporating it into SQL queries, specifically a DELETE and an INSERT statement, respectively. An attacker can inject arbitrary SQL commands by crafting a malicious User-Agent header and sending a GET request to the \u003ccode\u003e/api/captcha\u003c/code\u003e endpoint. The vulnerability was verified against phpMyFAQ 4.2.0-alpha, demonstrating a significant time difference in response times between clean and injected requests. This issue allows attackers to potentially read sensitive data, manipulate database records, and gain complete control of the phpMyFAQ datastore.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious SQL payload.\u003c/li\u003e\n\u003cli\u003eThe attacker injects the payload into the User-Agent header of an HTTP GET request.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted GET request to the \u003ccode\u003e/api/captcha\u003c/code\u003e endpoint of the phpMyFAQ instance.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eCaptchaController.php\u003c/code\u003e processes the request, instantiating the \u003ccode\u003eBuiltinCaptcha\u003c/code\u003e class.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eBuiltinCaptcha\u003c/code\u003e class retrieves the unsanitized User-Agent header.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egetCaptchaImage()\u003c/code\u003e method calls both the \u003ccode\u003esaveCaptcha()\u003c/code\u003e and \u003ccode\u003egarbageCollector()\u003c/code\u003e methods.\u003c/li\u003e\n\u003cli\u003eThese methods execute the SQL queries with the injected payload, due to the lack of sanitization.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages time-based blind SQL injection to extract sensitive data or manipulate database records.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to perform unauthenticated remote SQL injection against the phpMyFAQ database. In a default installation, this includes the ability to read user credential hashes, the admin token, SMTP credentials, and the content of FAQ entries, including those marked as private or restricted. Attackers can also tamper with or wipe arbitrary rows within the database due to the ability to modify DELETE queries. The absence of authentication, CSRF protection, or rate limiting on the \u003ccode\u003e/api/captcha\u003c/code\u003e endpoint makes exploitation straightforward.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the recommended fix provided in the advisory by implementing input sanitization using \u003ccode\u003eDatabase::escape()\u003c/code\u003e before interpolating values into SQL queries. Specifically, modify \u003ccode\u003ephpmyfaq/src/phpMyFAQ/Captcha/BuiltinCaptcha.php:298-325\u003c/code\u003e and \u003ccode\u003ephpmyfaq/src/phpMyFAQ/Captcha/BuiltinCaptcha.php:330\u003c/code\u003e as described in the advisory.\u003c/li\u003e\n\u003cli\u003eAudit the entire codebase for instances of \u003ccode\u003esprintf\u003c/code\u003e used in conjunction with SQL queries, as suggested by the advisory, to identify and remediate any other potential SQL injection vulnerabilities.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule \u0026ldquo;phpMyFAQ Captcha API SQL Injection Attempt\u0026rdquo; to detect attempts to exploit this vulnerability by monitoring for suspicious User-Agent headers in requests to \u003ccode\u003e/api/captcha\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eUpgrade to a patched version of phpMyFAQ that addresses this vulnerability, if available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T12:00:00Z","date_published":"2024-01-09T12:00:00Z","id":"/briefs/2024-01-phpmyfaq-sql-injection/","summary":"Unauthenticated SQL injection vulnerability exists in phpMyFAQ \u003c= 4.1.1 due to improper handling of the User-Agent header in BuiltinCaptcha, allowing attackers to inject malicious SQL payloads and potentially gain complete control of the datastore.","title":"phpMyFAQ Unauthenticated SQL Injection via User-Agent Header","url":"https://feed.craftedsignal.io/briefs/2024-01-phpmyfaq-sql-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — PhpMyFAQ","version":"https://jsonfeed.org/version/1.1"}