CVE-2024-55889

phpMyFAQ is an open source FAQ web application. Prior to version 3.2.10, a vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an <iframe> element without user interaction or explicit consent. Version 3.2.10 fixes the issue.

phpMyFAQ is an open source FAQ web application. Prior to version 3.2.10, a vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an <iframe> element without user interaction or explicit consent. Version 3.2.10 fixes the issue.

### Summary A vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an <iframe> element without user interaction or explicit consent. ### Details In http://localhost/admin/index.php?action=editentry&id=20&lang=en, where a FAQ record is either created or edited, an attacker can insert an iframe, as "source code", pointing to a prior "malicious" attachment that the attacker has uploaded via FAQ "new attachment" upload, such that any page visits to this FAQ will trigger an automated download (from the edit screen, download is automated; from the faq page view as a normal user, depending on the browser, a pop up confirmation may be presented before the actual download. Firebox browser, for instance, does not require any interactions).  ### PoC 1. create a new FAQ record and upload a "malicious" file - in my case, I uploaded an eicar file. take note of the uri, ie <p><iframe "index.php?action=attachment&amp;id=2"  3. in the FAQ record, insert a "source code" blob using the "< >" button 4. insert in the following snippet: <p><iframe src="index.php?action=attachment&amp;id=2"></iframe></p> and save FAQ record 5. once the edit page reloads, the malicious code will be downloaded onto the local machine without user interaction:  (uploaded a POC for easy demonstration: https://roy.demo.phpmyfaq.de/admin/index.php?action=editentry&id=20&lang=en although a fresh installation overwrites this demo instance every 24 hours) (as a logged in normal user, visit: https://roy.demo.phpmyfaq.de/content/1/20/en/20.html) ### Impact Malicious code or binaries could be dropped on visitors' machines when visiting the FAQ platform. Take a worm or ransomware for instance.

### Summary A vulnerability exists in the FAQ Record component where a privileged attacker can trigger a file download on a victim's machine upon page visit by embedding it in an <iframe> element without user interaction or explicit consent. ### Details In http://localhost/admin/index.php?action=editentry&id=20&lang=en, where a FAQ record is either created or edited, an attacker can insert an iframe, as "source code", pointing to a prior "malicious" attachment that the attacker has uploaded via FAQ "new attachment" upload, such that any page visits to this FAQ will trigger an automated download (from the edit screen, download is automated; from the faq page view as a normal user, depending on the browser, a pop up confirmation may be presented before the actual download. Firebox browser, for instance, does not require any interactions).  ### PoC 1. create a new FAQ record and upload a "malicious" file - in my case, I uploaded an eicar file. take note of the uri, ie <p><iframe "index.php?action=attachment&amp;id=2"  3. in the FAQ record, insert a "source code" blob using the "< >" button 4. insert in the following snippet: <p><iframe src="index.php?action=attachment&amp;id=2"></iframe></p> and save FAQ record 5. once the edit page reloads, the malicious code will be downloaded onto the local machine without user interaction:  (uploaded a POC for easy demonstration: https://roy.demo.phpmyfaq.de/admin/index.php?action=editentry&id=20&lang=en although a fresh installation overwrites this demo instance every 24 hours) (as a logged in normal user, visit: https://roy.demo.phpmyfaq.de/content/1/20/en/20.html) ### Impact Malicious code or binaries could be dropped on visitors' machines when visiting the FAQ platform. Take a worm or ransomware for instance.

phpMyFAQ es una aplicación web de código abierto para preguntas frecuentes. Antes de la versión 3.2.10, existía una vulnerabilidad en el componente de registro de preguntas frecuentes por la que un atacante con privilegios podía activar la descarga de un archivo en la máquina de la víctima al visitar una página incrustándolo en un elemento sin interacción del usuario ni consentimiento explícito. La versión 3.2.10 soluciona el problema.