Over 10 years we help companies reach their financial and branding goals. Engitech is a values-driven technology agency dedicated.

Gallery

Contacts

411 University St, Seattle, USA

[email protected]

+1 -800-456-478-23

Twitter Facebook-f Pinterest-p Instagram
CVE

CVE-2022-3608 – PHPmyfaq

Stored XSS and possible RCE/LFI

phpmyfaq has a feature to restore from a backup the entire application. An attacker with admin grant can export the configuration and re-upload the same file bypassing all the backend sanitization and controls.

POC – Proof of concept

  • login as admin
  • go to backup page
  • Create a backup and download it
  • Edit or add some query to file
  • in this case i edited the content of a category in order to fire an XSS on the admin panel or homepage
  • navigate some page and see the xss (homepage, list categories etc).
PAYLOAD: <script>alert(0)</script>

Misconf:

In case of misconfiguration of the SQL service user grant. An attacker could abuse of that by reading/write sensitive file.

SELECT LOAD_FILE('/etc/passwd') 
SELECT  'some php code '  INTO dumpfile '/sitepath/somefile.php'

Impact

This vulnerability allow an attacker to take control of the entire database and in some cases read arbitrary file or execute shell commands by writing malicious php file.

Severity

https://cvss.js.org/#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Reference

https://huntr.dev/bounties/8f0f3635-9d81-4c55-9826-2ba955c3a850/

https://github.com/thorsten/phpmyfaq

https://nvd.nist.gov/vuln/detail/CVE-2022-3608