phpMyFAQ, Authorization Bypass, CVE-2024-3968 (Medium)

Listen to this Post

How the CVE Works:

The vulnerability exists in attachment.php. The access control check uses the logic ($groupPermission || ($groupPermission && $userPermission)) && isset($permission['dlattachment']). The `isset()` function returns `true` if the ‘dlattachment’ key exists in the `$permission` array, regardless of its boolean value (e.g., false). For users with group permissions ($groupPermission true), the flawed expression simplifies, bypassing the intended check. This allows any logged-in user without the `dlattachment` right to download attachments by directly requesting the vulnerable endpoint.
Platform: phpMyFAQ
Version: < 3.2.10
Vulnerability: Authorization Bypass
Severity: Medium
Date: 2024-07-16

Prediction: Patch Released

What Undercode Say:

curl -c cookies.txt -H 'Content-Type: application/json' -d '{"username":"tester","password":"Test1234!"}' http://target/api/v3.0/login
curl -i -b cookies.txt "http://target/index.php?action=attachment&id=1"

How Exploit:

1. Attacker logs in.

2. Requests attachment ID.

3. Bypasses permission check.

Protection from this CVE:

Upgrade to version 3.2.10.

Impact:

Unauthorized file disclosure.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top