BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha() at phpmyfaq/src/phpMyFAQ/Captcha/BuiltinCaptcha.php:298 and :330 interpolate the User-Agent header and client IP address into DELETE and INSERT queries with sprintf and no escaping. Both methods run on every hit to the public GET /api/captcha endpoint, which requires no authentication. An unauthenticated attacker sets the User-Agent header to a crafted SQL payload and runs SLEEP(), BENCHMARK(), or time-based blind extraction against the database that backs phpMyFAQ. Verified live against 4.2.0-alpha (master at b9f25109): baseline request 147 ms, request with User-Agent: x' OR SLEEP(2) OR 'x 4.09 s (two SLEEP(2) calls, one per vulnerable sink).
phpmyfaq/src/phpMyFAQ/Captcha/BuiltinCaptcha.php:112 populates two private fields from untrusted HTTP input at construction time:
$this->userAgent = $request->headers->get('user-agent');
$this->ip = $request->getClientIp();
Both fields are then dropped into sprintf() SQL templates without ever touching Database::escape() or a prepared statement.
garbageCollector() at line 298 (called on every captcha request via getCaptchaImage()):
$delete = sprintf(
"
DELETE FROM
%sfaqcaptcha
WHERE
useragent = '%s' AND language = '%s' AND ip = '%s'",
Database::getTablePrefix(),
$this->userAgent, // unescaped
$this->configuration->getLanguage()->getLanguage(),
$this->ip, // unescaped
);
$this->configuration->getDb()->query($delete);
saveCaptcha() at line 330 does the same for INSERT:
$insert = sprintf(
"INSERT INTO %sfaqcaptcha (id, useragent, language, ip, captcha_time) VALUES ('%s', '%s', '%s', '%s', %d)",
Database::getTablePrefix(),
$this->code,
$this->userAgent, // unescaped...
4.1.24.1.2Exploitability
AV:NAC:LPR:NUI:NScope
S:UImpact
C:HI:HA:H9.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H