#Title: phpMyFAQ 2.8.X - Multiple Vulnerabilities
#Version: >= 2.8.12 (Latest ATM)
#Tested on: Apache 2.2 / PHP 5.4 / Linux
#Contact: smash [at] devilteam.pl
1) Persistent XSS
Administrator is able to view information about specific user session in 'Statistic' tab. Over there, you may find informations such as user ip, refferer and user agent.
For example, to view informations about session with ID 1, you need visit following address:
curl_setopt($ch, CURLOPT_REFERER, '');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$postResult = curl_exec($ch);
2) Remote FAQ Disclosure
Administrator is able to view or download FAQ data using few extensions (xhtml, xml, pdf). Because of no user restrictions, attacker may reproduce this vulnerability to perform those actions even without having an account.
- Edit user credentials (login/mail)
By then, you may generate new password for victim using 'Forgot password' option - just provide your email so you can grab it.
- Delete user
- Delete category
- Delete session (month)
- Delete logs older than 30 days
- Add stopword
- Edit configuration
FAQ records configuration
Spam control center
Social network configuration