phpMyFAQ Missing Permission Check in Configuration API Endpoints Allows Information Disclosure

A vulnerability exists in phpMyFAQ versions prior to 4.1.2, specifically within the ConfigurationTabController.php file. This issue arises from missing permission checks on 12 endpoints, which incorrectly use userIsAuthenticated() instead of the required userHasPermission(CONFIGURATION_EDIT). As a result, any authenticated user can access and enumerate sensitive system configuration metadata, such as the permission model, cache backend, mail provider, and translation provider, by querying the /admin/api/configuration endpoints. This vulnerability violates the principle of least privilege access control.

Impact

Exploitation of this vulnerability allows any authenticated user to access sensitive configuration information that could be used to facilitate further attacks. The exposed data includes the permission model, cache backend, mail provider, and translation provider, all of which could be leveraged in a targeted follow-up attack.

Reproduction

To reproduce this vulnerability, authenticate as any user with access to the phpMyFAQ application (even those with minimal permissions). Once authenticated, query the /admin/api/configuration endpoints that should require CONFIGURATION_EDIT permission. The response will include configuration data in HTML option format, indicating successful exploitation.

Remediation

Users are advised to update phpMyFAQ to version 4.1.2 or later, where this vulnerability has been addressed.