phpMyFAQ, Unauthorized Configuration Backup Vulnerability (Medium)

Listen to this Post

The vulnerability exists in the SetupController.php file where the /api/setup/backup endpoint is exposed. This endpoint is intended for administrative tasks such as creating configuration backups. It utilizes the userIsAuthenticated() function to verify that the requesting user is logged into the system. However, the endpoint fails to implement any authorization checks beyond authentication. It does not validate whether the authenticated user possesses the necessary administrative or configuration permissions. Consequently, any user with valid login credentials, including those with non-admin roles, can successfully trigger a backup request. When invoked via a POST request, the endpoint executes the backup routine, which compiles sensitive configuration files, database settings, and other critical data into a ZIP archive. The server then generates a direct download link to this archive and returns it in the response. The backup file is typically stored within a web-accessible directory. This flaw allows low-privileged attackers to exfiltrate sensitive information simply by authenticating and calling the API. The issue stems from a broken access control mechanism where authentication is incorrectly equated with authorization. The backup process can be initiated remotely via the API if enabled, requiring only standard user credentials. The returned link may lead to full system compromise if the backup file is accessed, as it contains secrets like database passwords. This vulnerability is exploitable in default configurations where the API is active, making it a significant security oversight.
Platform: phpMyFAQ
Version: 4.0.16
Vulnerability: Unauthorized configuration backup
Severity: Medium
Date: Unknown

Prediction: Patch TBA

What Undercode Say:

Analytics

curl -c /tmp/pmf_api_cookies.txt -H 'Content-Type: application/json' -d '{"username":"tester","password":"Test1234!"}' http://192.168.40.16/phpmyfaq/api/v3.0/login
curl -i -b /tmp/pmf_api_cookies.txt -X POST --data '4.0.16' http://192.168.40.16/phpmyfaq/api/setup/backup

How Exploit:

Authenticate as user.

Call backup endpoint.

Retrieve ZIP link.

Protection from this CVE

Add authorization checks.

Disable unused APIs.

Update software version.

Impact:

Sensitive backup exposure.

Secret leakage risk.

Privilege escalation possible.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top