phpMyFAQ v3.2.10 - Unintended File Download Triggered by Embedded Frames

vendor:

phpMyFAQ

by:

George Chen

6.1

CVSS

HIGH

Unintended File Download

CWE

Product Name: phpMyFAQ

Affected Version From: v3.2.10

Affected Version To: v3.2.10

Patch Exists: NO

Related CWE: CVE-2024-55889

CPE: a:thorsten:phpmyfaq:3.2.10

Metasploit:

Other Scripts:

Platforms Tested: Mac, Windows

2024

phpMyFAQ v3.2.10 – Unintended File Download Triggered by Embedded Frames

A vulnerability in phpMyFAQ v3.2.10 allows a privileged attacker to initiate a file download on a victim's system by embedding it in an <iframe> element without user interaction. By uploading a malicious attachment and linking it through an iframe in a FAQ record, the attacker can trigger automated downloads on the victim's machine.

Mitigation:

Update to the latest version of phpMyFAQ to mitigate this vulnerability. Avoid opening untrusted FAQs or clicking on suspicious links.

Source

Exploit-DB raw data:

# Exploit Title: phpMyFAQ v3.2.10 - Unintended File Download Triggered by Embedded Frames
# Date: 13 Dec 2024
# Exploit Author: George Chen
# Vendor Homepage: https://github.com/thorsten/phpMyFAQ/
# Software Link: https://github.com/thorsten/phpMyFAQ/
# Version: v3.2.10
# Tested on: Mac, Win
# CVE : CVE-2024–55889


*Summary*
A vulnerability exists in the FAQ Record component of
https://github.com/thorsten/phpMyFAQ v3.2.10 where a privileged attacker
can trigger a file download on a victim’s machine upon page visit by
embedding it in an <iframe> element without user interaction or explicit
consent.

*Details*
In http://localhost/admin/index.php?action=editentry&id=20&lang=en, where a
FAQ record is either created or edited, an attacker can insert an iframe,
as “source code”, pointing to a prior “malicious” attachment that the
attacker has uploaded via FAQ “new attachment” upload, such that any page
visits to this FAQ will trigger an automated download (from the edit
screen, download is automated; from the faq page view as a normal user,
depending on the browser, a pop up confirmation may be presented before the
actual download. Firebox browser, for instance, does not require any
interactions).

[image: image.png]

*PoC*

   1. create a new FAQ record and upload a “malicious” file — in my case, I
   uploaded an eicar file. Take note of the uri, ie
   “index.php?action=attachment&id=2”
   2. in the FAQ record, insert a “source code” blob using the “< >” button
   3. insert in the following snippet and save FAQ record:
    <p><iframe src="index.php?action=attachment&id=2"></iframe></p> [image:
   image.png]
   4. Once the edit page reloads, the malicious code will be downloaded
   onto the local machine without user interaction:[image: image.png]

   Advisory:
   https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc
   Disclosure: https://geochen.medium.com/cve-2024-55889-03572ae6c35c