Описание
phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)
Summary
Authenticated non‑admin users can call /api/setup/backup and trigger a configuration backup. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP.
Details
SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. This allows any logged‑in user to create a sensitive backup and retrieve its path.
PoC
Precondition: API enabled, any authenticated non‑admin user.
- Log in as a non‑admin user.
- Call backup endpoint.
Impact
Low‑privileged users can generate sensitive backups. If the ZIP is web‑accessible (server misconfiguration), this can lead to secret exposure.
Пакеты
phpmyfaq/phpmyfaq
<= 4.0.16
4.0.17
thorsten/phpmyfaq
<= 4.0.16
4.0.17
Связанные уязвимости
phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17.