GHSA-GCP9-5JC8-976X

Vulnerability from github – Published: 2026-04-01 23:41 – Updated: 2026-04-06 23:17
VLAI?
Summary
phpMyFAQ has a LIKE Wildcard Injection in Search.php — Unescaped % and _ Metacharacters Enable Broad Content Disclosure
Details

Summary

The searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real_escape_string() (via escape()) to sanitize the search term before embedding it in LIKE clauses. However, real_escape_string() does not escape SQL LIKE metacharacters % (match any sequence) and _ (match any single character). An unauthenticated attacker can inject these wildcards into search queries, causing them to match unintended records — including content that was not meant to be surfaced — resulting in information disclosure.

Details

File: phpmyfaq/src/phpMyFAQ/Search.php, lines 226–240

Vulnerable code:

$escapedSearchTerm = $this->configuration->getDb()->escape($searchTerm);
$searchWords = explode(' ', $escapedSearchTerm);
$searchConditions = [];

foreach ($searchWords as $word) {
    if (strlen($word) <= 2) {
        continue;
    }
    $searchConditions[] = sprintf(
        "(page_title LIKE '%%%s%%' OR content LIKE '%%%s%%')",
        $word,
        $word
    );
}

escape() calls mysqli::real_escape_string(), which escapes characters like ', \, NULL, etc. — but explicitly does not escape % or _, as these are not SQL string delimiters. They are, however, LIKE pattern wildcards.

Attack vector:

A user submits a search term containing _ or % as part of a 3+ character word (to bypass the strlen <= 2 filter). Examples:

  • Search for a_b → LIKE becomes '%a_b%'_ matches any single character, e.g. matches "aXb", "a1b", "azb" — broader than the literal string a_b
  • Search for te%t → LIKE becomes '%te%t%' → matches test, text, te12t, etc.
  • Search for _%_ → LIKE becomes '%_%_%' → matches any record with at least one character, effectively dumping all custom pages

This allows an attacker to retrieve custom page content that would not appear in normal exact searches, bypassing intended search scope restrictions.

PoC

  1. Navigate to the phpMyFAQ search page (accessible to unauthenticated users by default).
  2. Submit a search query: _%_ (underscore, percent, underscore — length 3, bypasses the <= 2 filter).
  3. The backend executes: WHERE (page_title LIKE '%_%_%' OR content LIKE '%_%_%')
  4. This matches all custom pages with at least one character in title or content — returning content that would not appear for a specific search term.

Impact

  • Authentication required: None — search is publicly accessible
  • Affected component: searchCustomPages() in Search.php; custom pages (faqcustompages table)
  • Impact: Unauthenticated users can enumerate/disclose all custom page content regardless of the intended search term filter
  • Fix: Escape % and _ in LIKE search terms before interpolation: php $word = str_replace(['\\', '%', '_'], ['\\\\', '\\%', '\\_'], $word); Or use parameterized queries with properly escaped LIKE values.
Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
6.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "thorsten/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34973"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-943"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T23:41:49Z",
    "nvd_published_at": "2026-04-02T15:16:51Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe `searchCustomPages()` method in `phpmyfaq/src/phpMyFAQ/Search.php` uses `real_escape_string()` (via `escape()`) to sanitize the search term before embedding it in LIKE clauses. However, `real_escape_string()` does **not** escape SQL LIKE metacharacters `%` (match any sequence) and `_` (match any single character). An unauthenticated attacker can inject these wildcards into search queries, causing them to match unintended records \u2014 including content that was not meant to be surfaced \u2014 resulting in information disclosure.\n\n### Details\n\n**File:** `phpmyfaq/src/phpMyFAQ/Search.php`, lines 226\u2013240\n\n**Vulnerable code:**\n```php\n$escapedSearchTerm = $this-\u003econfiguration-\u003egetDb()-\u003eescape($searchTerm);\n$searchWords = explode(\u0027 \u0027, $escapedSearchTerm);\n$searchConditions = [];\n\nforeach ($searchWords as $word) {\n    if (strlen($word) \u003c= 2) {\n        continue;\n    }\n    $searchConditions[] = sprintf(\n        \"(page_title LIKE \u0027%%%s%%\u0027 OR content LIKE \u0027%%%s%%\u0027)\",\n        $word,\n        $word\n    );\n}\n```\n\n`escape()` calls `mysqli::real_escape_string()`, which escapes characters like `\u0027`, `\\`, `NULL`, etc. \u2014 but explicitly does **not** escape `%` or `_`, as these are not SQL string delimiters. They are, however, LIKE pattern wildcards.\n\n**Attack vector:**\n\nA user submits a search term containing `_` or `%` as part of a 3+ character word (to bypass the `strlen \u003c= 2` filter). Examples:\n\n- Search for `a_b` \u2192 LIKE becomes `\u0027%a_b%\u0027` \u2192 `_` matches any single character, e.g. matches `\"aXb\"`, `\"a1b\"`, `\"azb\"` \u2014 broader than the literal string `a_b`\n- Search for `te%t` \u2192 LIKE becomes `\u0027%te%t%\u0027` \u2192 matches `test`, `text`, `te12t`, etc.\n- Search for `_%_` \u2192 LIKE becomes `\u0027%_%_%\u0027` \u2192 matches any record with at least one character, effectively dumping all custom pages\n\nThis allows an attacker to retrieve custom page content that would not appear in normal exact searches, bypassing intended search scope restrictions.\n\n### PoC\n\n1. Navigate to the phpMyFAQ search page (accessible to unauthenticated users by default).\n2. Submit a search query: `_%_` (underscore, percent, underscore \u2014 length 3, bypasses the `\u003c= 2` filter).\n3. The backend executes: `WHERE (page_title LIKE \u0027%_%_%\u0027 OR content LIKE \u0027%_%_%\u0027)`\n4. This matches **all** custom pages with at least one character in title or content \u2014 returning content that would not appear for a specific search term.\n\n### Impact\n\n- **Authentication required:** None \u2014 search is publicly accessible\n- **Affected component:** `searchCustomPages()` in `Search.php`; custom pages (faqcustompages table)\n- **Impact:** Unauthenticated users can enumerate/disclose all custom page content regardless of the intended search term filter\n- **Fix:** Escape `%` and `_` in LIKE search terms before interpolation:\n  ```php\n  $word = str_replace([\u0027\\\\\u0027, \u0027%\u0027, \u0027_\u0027], [\u0027\\\\\\\\\u0027, \u0027\\\\%\u0027, \u0027\\\\_\u0027], $word);\n  ```\n  Or use parameterized queries with properly escaped LIKE values.",
  "id": "GHSA-gcp9-5jc8-976x",
  "modified": "2026-04-06T23:17:56Z",
  "published": "2026-04-01T23:41:49Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gcp9-5jc8-976x"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34973"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thorsten/phpMyFAQ"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "phpMyFAQ has a LIKE Wildcard Injection in Search.php \u2014 Unescaped % and _ Metacharacters Enable Broad Content Disclosure"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.