phpMyFAQ Authorization Flaw in Backup API Endpoint Allows Sensitive Data Exposure

An authorization vulnerability has been identified in phpMyFAQ versions through 4.0.16. The issue arises in the /api/setup/backup endpoint, which is accessible to all authenticated users, regardless of their permissions. The SetupController.php file uses userIsAuthenticated() for authentication but fails to check if the user has configuration or admin rights. As a result, non-admin users can initiate a configuration backup and obtain the backup's file path. The endpoint only verifies authentication, not authorization, and provides a link to download the generated ZIP file. This vulnerability could lead to the exposure of sensitive information if the backup ZIP file is accessible via the web due to server misconfiguration.

Impact

This vulnerability allows low-privileged users to create sensitive backups and access their file paths. If the generated ZIP file is publicly accessible, it could result in the exposure of confidential information.

Reproduction

To reproduce this vulnerability, log in as a non-admin user with the API enabled. Once authenticated, call the /api/setup/backup endpoint. The request will succeed, and a link to the generated backup ZIP file will be returned.

Remediation

Users can upgrade to phpMyFAQ version 4.0.17 or later to address this vulnerability.