phpMyFAQ Attachment Download Vulnerability Due to Broken Access Control

A broken access control vulnerability has been identified in phpMyFAQ versions through 4.0.16. This issue allows authenticated users without the 'dlattachment' permission to download FAQ attachments. The vulnerability arises from an inadequate permissions check in 'attachment.php', where the presence of a right key is incorrectly accepted as proof of authorization. Additionally, the logic governing group and user permissions contains a flawed conditional expression that could lead to unauthorized access.

Impact

Exploitation of this vulnerability allows unauthorized users to download attachments, potentially leading to the exposure of sensitive documents.

Reproduction

To reproduce this vulnerability, log in as a non-admin user who does not have the 'dlattachment' permission. Ensure that 'records.allowDownloadsForGuests' is set to false and that an attachment is linked to a FAQ record. Then, request the attachment download endpoint. The access control flaw will permit the download despite the lack of the necessary permission.

Remediation

Users are advised to update phpMyFAQ to version 4.0.17 or later, where this vulnerability has been patched.