Описание
phpMyFAQ has unauthenticated config backup download via /api/setup/backup
Summary
An unauthenticated remote attacker can trigger generation of a configuration backup ZIP via POST /api/setup/backup and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., database.php with database credentials), leading to high-impact information disclosure and potential follow-on compromise.
Details
The endpoint /api/setup/backup is reachable via default rewrite rules and does not enforce authentication/authorization or API token verification. When called with any non-empty body (used as an “installed version” string), the server creates a ZIP archive inside the configuration directory and returns a direct URL to the generated ZIP file.
Relevant code paths:
- Rewrite rule exposing the endpoint:
phpmyfaq/.htaccess:RewriteRule ^api/setup/(check|backup|update-database) api/index.php [L,QSA]
- Controller implementation:
phpmyfaq/src/phpMyFAQ/Controller/Api/SetupController.php→backup()- No call to
hasValidToken(),userIsAuthenticated(), or any permission check
- No call to
- Backup creation:
phpmyfaq/src/phpMyFAQ/Setup/Update.php→createConfigBackup()- Writes the ZIP into the config directory and returns a public URL under
content/core/config/
- Writes the ZIP into the config directory and returns a public URL under
PoC
Replace BASE_URL with your instance URL.
- Trigger config backup generation without authentication:
Expected result: 200 OK with JSON containing backupFile.
- Copy the
backupFileURL from the JSON response and download it (still without authentication):
- Verify sensitive content exists in the ZIP:
Observed: database.php is included and contains DB host/user/password.
Impact
- Vulnerability class: Missing authentication/authorization for a sensitive function + sensitive information exposure.
- Who is impacted: Any internet-exposed phpMyFAQ installation where the default
.htaccessrewrite rules are active and the endpoint is reachable. - Security impact: Disclosure of configuration secrets (DB credentials, integration config, etc.), enabling follow-on attacks such as database takeover and data exfiltration.
Пакеты
thorsten/phpmyfaq
< 4.0.16
4.0.16
thorsten/phpmyfaq
>= 4.1.0-alpha, <= 4.1.0-beta.2
Отсутствует
Связанные уязвимости
phpMyFAQ is an open source FAQ web application. In versions prior to 4.0.16, an unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., `database.php` with database credentials), leading to high-impact information disclosure and potential follow-on compromise. Version 4.0.16 fixes the issue.