phpMyFAQ WebAuthn Prepare Endpoint Unauthenticated Account Creation Vulnerability

A vulnerability in phpMyFAQ versions through 4.1.0-RC.6 allows for the creation of user accounts via the WebAuthn prepare endpoint without authentication or proper validation. The endpoint lacks CSRF protection, captcha requirements, and configuration checks, enabling unauthenticated attackers to generate unlimited user accounts even when registration is disabled. This issue has been addressed in version 4.0.18.

Impact

Exploitation of this vulnerability bypasses registration controls, allowing for the creation of accounts when self-registration is disabled. It also enables username squatting, reserves usernames before legitimate users can use them, and could lead to database exhaustion by creating large numbers of fake active accounts. Additionally, it bypasses WebAuthn configuration checks, as the WebAuthn support is disabled.

Reproduction

To reproduce this vulnerability, send a POST request to the '/api/webauthn/prepare' endpoint with a JSON payload containing a 'username' field. This can be done without any authentication. The endpoint will create a new user account with the provided username, even if registration is disabled. This process can be repeated multiple times to create additional accounts.

Remediation

Users can update to phpMyFAQ version 4.0.18 or later, where this vulnerability has been fixed.