Listen to this Post
The vulnerability exists in the SetupController.php file where the /api/setup/backup endpoint is exposed. This endpoint is intended for administrative tasks such as creating configuration backups. It utilizes the userIsAuthenticated() function to verify that the requesting user is logged into the system. However, the endpoint fails to implement any authorization checks beyond authentication. It does not validate whether the authenticated user possesses the necessary administrative or configuration permissions. Consequently, any user with valid login credentials, including those with non-admin roles, can successfully trigger a backup request. When invoked via a POST request, the endpoint executes the backup routine, which compiles sensitive configuration files, database settings, and other critical data into a ZIP archive. The server then generates a direct download link to this archive and returns it in the response. The backup file is typically stored within a web-accessible directory. This flaw allows low-privileged attackers to exfiltrate sensitive information simply by authenticating and calling the API. The issue stems from a broken access control mechanism where authentication is incorrectly equated with authorization. The backup process can be initiated remotely via the API if enabled, requiring only standard user credentials. The returned link may lead to full system compromise if the backup file is accessed, as it contains secrets like database passwords. This vulnerability is exploitable in default configurations where the API is active, making it a significant security oversight.
Platform: phpMyFAQ
Version: 4.0.16
Vulnerability: Unauthorized configuration backup
Severity: Medium
Date: Unknown
Prediction: Patch TBA
What Undercode Say:
Analytics
curl -c /tmp/pmf_api_cookies.txt -H 'Content-Type: application/json' -d '{"username":"tester","password":"Test1234!"}' http://192.168.40.16/phpmyfaq/api/v3.0/login
curl -i -b /tmp/pmf_api_cookies.txt -X POST --data '4.0.16' http://192.168.40.16/phpmyfaq/api/setup/backup
How Exploit:
Authenticate as user.
Call backup endpoint.
Retrieve ZIP link.
Protection from this CVE
Add authorization checks.
Disable unused APIs.
Update software version.
Impact:
Sensitive backup exposure.
Secret leakage risk.
Privilege escalation possible.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

