logo

Database

Improper authorization control for web services In thorsten/phpmyfaq

Description

phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)

Summary

A logged‑in user without the dlattachment right can download FAQ attachments. This is due to a permissive permission check in attachment.php that treats the mere presence of a right key as authorization and a flawed group/user logic expression.

Details

In attachment.php, the access decision uses: ($groupPermission || ($groupPermission && $userPermission)) && isset($permission['dlattachment']) isset() returns true even when the right value is false, and the logic simplifies to $groupPermission for some permission modes. As a result, a user without dlattachment can still access the attachment.

PoC

Precondition: A non‑admin user exists; an attachment is associated to a FAQ record; records.allowDownloadsForGuests = false. Log in as a non‑admin user without dlattachment. Request the attachment download endpoint.

curl -c /tmp/pmf_api_cookies.txt \
  -H 'Content-Type: application/json' \
  -d '{"username":"tester","password":"Test1234!"}' \
  http://192.168.40.16/phpmyfaq/api/v3.0/login

curl -i -b /tmp/pmf_api_cookies.txt \
  "http://192.168.40.16/phpmyfaq/index.php?action=attachment&id=1"

Impact

Unauthorized users can download attachments (confidentiality breach). Depending on content, this may expose sensitive documents.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-244202. NVD-2026-244203. OSV-2026-244204. GHSA-7p9h-m7m8-vhhv5. GCVE-2026-24420

References

1. https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7p9h-m7m8-vhhv

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.