[] NeoSense
E X P L O I T S
title author type platform port cve id

phpMyFAQ 2.9.0 - Persistent Cross-Site Scripting

Author: Kacper Szurek
type: webapps
platform: php
port: 80.0
date_added: 2016-06-10 
date_updated: 2016-06-10 
verified: 0 
codes:  
tags: 
aliases:  
screenshot_url:  
application_url: http://www.exploit-db.comphpMyFAQ-2.9.0.tar.gz
# Exploit Title: phpMyFAQ 2.9.0 Stored XSS
# Date: 09-06-2016
# Software Link: http://www.phpmyfaq.de/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: webapps

1. Description

PHP `filter_input()` function with `FILTER_VALIDATE_URL` flag is used to validate url inside `savefaq` functionality.

But this function doesn’t protect against XSS.

http://security.szurek.pl/phpmyfaq-290-stored-xss.html

2. Proof of Concept

By default every user can propose faq entries.

When admin activate article using http://phpmyfaq/admin/?action=view url or records.defaultActivation option is enabled, XSS will be visible on entry page:

http://phpmyfaq/index.php?action=artikel&cat=%cat_id%&id=%article_id%&artlang=pl

For exploitation use folowing url inside Link for this FAQ field:

http://example.com/"><script>alert("xss")</script>

3. Solution:

Update to version 2.9.1
Billing Policy . Cookies Policy . Conditions . Disclaimer . ICANN Policy . Legal Notice . Privacy Policy . Spam Policy . Usage Policy
Copyright © 2026 NEOSENSE. All rights reserved.