PT-2026-29784 · Thorsten+1 · Phpmyfaq+1

Published

2026-04-01

·

Updated

2026-04-02

·

CVE-2026-34973

CVSS v4.0

6.9

Medium

AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Summary

The searchCustomPages() method in phpmyfaq/src/phpMyFAQ/Search.php uses real escape string() (via escape()) to sanitize the search term before embedding it in LIKE clauses. However, real escape string() does not escape SQL LIKE metacharacters % (match any sequence) and (match any single character). An unauthenticated attacker can inject these wildcards into search queries, causing them to match unintended records — including content that was not meant to be surfaced — resulting in information disclosure.

Details

File: phpmyfaq/src/phpMyFAQ/Search.php, lines 226–240
Vulnerable code:
$escapedSearchTerm = $this->configuration->getDb()->escape($searchTerm);
$searchWords = explode(' ', $escapedSearchTerm);
$searchConditions = [];

foreach ($searchWords as $word) {
  if (strlen($word) <= 2) {
    continue;
  }
  $searchConditions[] = sprintf(
    "(page title LIKE '%%%s%%' OR content LIKE '%%%s%%')",
    $word,
    $word
  );
}
escape() calls mysqli::real escape string(), which escapes characters like ', ``, NULL, etc. — but explicitly does not escape % or , as these are not SQL string delimiters. They are, however, LIKE pattern wildcards.
Attack vector:
A user submits a search term containing or % as part of a 3+ character word (to bypass the strlen <= 2 filter). Examples:
  • Search for a b → LIKE becomes '%a b%' matches any single character, e.g. matches "aXb", "a1b", "azb" — broader than the literal string a b
  • Search for te%t → LIKE becomes '%te%t%' → matches test, text, te12t, etc.
  • Search for % → LIKE becomes '% % %' → matches any record with at least one character, effectively dumping all custom pages
This allows an attacker to retrieve custom page content that would not appear in normal exact searches, bypassing intended search scope restrictions.

PoC

  1. Navigate to the phpMyFAQ search page (accessible to unauthenticated users by default).
  2. Submit a search query: % (underscore, percent, underscore — length 3, bypasses the <= 2 filter).
  3. The backend executes: WHERE (page title LIKE '% % %' OR content LIKE '% % %')
  4. This matches all custom pages with at least one character in title or content — returning content that would not appear for a specific search term.

Impact

  • Authentication required: None — search is publicly accessible
  • Affected component: searchCustomPages() in Search.php; custom pages (faqcustompages table)
  • Impact: Unauthenticated users can enumerate/disclose all custom page content regardless of the intended search term filter
  • Fix: Escape % and in LIKE search terms before interpolation:
$word = str replace(['', '%', ' '], ['', '%', ' '], $word);
Or use parameterized queries with properly escaped LIKE values.

Fix

Weakness Enumeration

CWE-943

Related Identifiers

CVE-2026-34973
GHSA-GCP9-5JC8-976X

Affected Products

Phpmyfaq
Thorsten/Phpmyfaq