CVE-2005-3734

An anonymous attacker sends a POST request to the "add content" page at [path_to_phpmyfaq]/faq/index.php?sid=2&lang=en&action=save with malicious payloads in the thema, username, or usermail parameters [ref_id=1]. The injected script is stored persistently and later executed when an administrator views or approves the new record in the admin interface — for example, moving the mouse over the "Author" or "email address" form field triggers an onmouseover handler, or clicking the topic executes injected code [ref_id=1]. No authentication is required to submit the payload, and the attack works regardless of whether magic_quotes_gpc is enabled [ref_id=1].

The advisory does not specify exact file paths or function names. The vulnerable code resides in the "add content" page of phpMyFAQ 1.5.3 and earlier, accessible via the URL path `[path_to_phpmyfaq]/faq/index.php` with parameters `action=add` and `action=save` [ref_id=1]. The thema, username, and usermail POST parameters are not sanitized before being stored and later rendered in the admin interface [ref_id=1].

The advisory states that the vendor released phpMyFAQ 1.5.4 to address these issues [ref_id=1]. No patch diff is provided in the bundle, but the recommended remediation is to upgrade to phpMyFAQ 1.5.4 or newer [ref_id=1]. The fix presumably adds proper output encoding or input validation for the thema, username, and usermail parameters before they are rendered in the admin interface.

1. Send a POST request to `[path_to_phpmyfaq]/faq/index.php?sid=2&lang=en&action=save` with the following parameters (example for username XSS): `username=" onmouseover="alert(document.cookie);`, `usermail=test`, `rubrik[]=1`, `thema=test`, `content=test`, `keywords=test`, `contentlink=http://`, `submit=submit` [ref_id=1]. 2. For the usermail parameter, use: `usermail=" onmouseover="alert(document.cookie);` with other parameters set to benign values [ref_id=1]. 3. For the thema parameter, use: `thema=' : ''}; alert(document.cookie); //` (this PoC works only if it is the last entry in the record list) [ref_id=1]. 4. An administrator visiting the admin interface to approve the record will trigger the injected script — mouseover for username/usermail, click on topic for thema [ref_id=1].