If you use the open-source FAQ software phpMyFAQ, you need to know about CVE-2022-3608. This vulnerability allows attackers to exploit stored Cross-site Scripting (XSS) issues in versions before 3.2.-alpha. Here’s what you need to know, including code examples and how to stay safe.
What is CVE-2022-3608?
CVE-2022-3608 is a security flaw discovered in phpMyFAQ before version 3.2.-alpha. Specifically, it’s a stored XSS vulnerability, which means an attacker can submit malicious scripts that get stored in the database and run whenever a user visits the affected page.
Key Points
- Product: phpMyFAQ
What is Stored XSS?
Stored XSS happens when an attacker places a malicious script in a place that’s going to be shown to other users. For example, an attacker might submit a dangerous <script> tag in a FAQ answer or a comment. When someone else visits that FAQ page, the website displays the attacker’s JavaScript, which can steal info, change page content, or act on behalf of the user.
1. Attacker submits a malicious FAQ entry
phpMyFAQ allowed submission of content (like questions, answers, or comments) without properly escaping or sanitizing HTML and JavaScript before storing it.
2. Malicious code is saved to the database
The attacker’s <script> code is stored as part of a FAQ answer, question, or comment.
3. User visits the affected page
When another user (maybe an admin) views the entry, the malicious script executes in their browser.
Here’s an example of what an attacker might submit as a FAQ question or answer
<script>alert('You have been hacked!');</script>
This input, if not sanitized, will be stored in the database. When rendered on a FAQ page, any browser will execute the script, showing a popup. More dangerous scripts could steal cookies or spoof sessions.
Suppose the FAQ submission form looks like this
<form action="/faq/submit.php" method="POST">
<input type="text" name="question" placeholder="Your Question">
<textarea name="answer" placeholder="Your Answer"></textarea>
<button type="submit">Submit</button>
</form>
Step 2: Malicious Code is Saved
phpMyFAQ, before 3.2.-alpha, did not clean this input, so the image tag (with a JavaScript onerror) is saved as-is.
Step 3: Victim Visits Page
Anyone (like an admin) who views this FAQ item will trigger the alert('XSS!') script.
Deface FAQ entries
If an administrator’s account is compromised, the damage can include complete takeover of the phpMyFAQ system.
References and Original Advisory
- NVD - CVE-2022-3608
- Github Security Advisory for phpMyFAQ
- Original phpMyFAQ Repo
- Commit with XSS Fix
How Was It Fixed?
The fix for CVE-2022-3608 added sanitization and escaping for user-submitted content during both saving to and rendering from the database. For example, using PHP’s htmlspecialchars() to neutralize special HTML chars:
// Example PHP escaping
echo htmlspecialchars($faq_entry['answer'], ENT_QUOTES, 'UTF-8');
Update Immediately:
Upgrade to phpMyFAQ 3.2.-alpha or later. Get the latest release here.
- Input Validation/Sanitization:
Conclusion
CVE-2022-3608 is a serious issue for anyone running phpMyFAQ before 3.2.-alpha. An attacker could inject JavaScript code that steals user data or attacks your FAQ and users. The best fix is to upgrade your phpMyFAQ right away and follow common web security best practices.
For more information, check the official advisory.
Timeline
Published on: 10/19/2022 13:15:00 UTC
Last modified on: 10/20/2022 19:35:00 UTC