phpMyFAQ Two-Factor Authentication Bypass Vulnerability via Unauthenticated Brute-Force on TOTP Codes

A vulnerability in phpMyFAQ versions prior to 4.1.2 allows unauthenticated attackers to bypass two-factor authentication by brute-forcing users' TOTP codes. This issue arises from the /admin/check endpoint, which accepts arbitrary user-id parameters without session verification or rate limiting. Attackers can exploit this flaw by sending POST requests with sequential token values, gaining full administrative access on the platform.

Impact

Exploiting this vulnerability allows attackers to bypass two-factor authentication for any user, including administrators, and gain full administrative rights on the phpMyFAQ platform.

Reproduction

To reproduce this vulnerability, send a POST request to the /admin/check endpoint with a user-id and a token value. The endpoint will accept the request without authentication, allowing for brute-force attacks on the TOTP codes. This can be done manually or automated with a script that sends multiple requests in a short period.

Remediation

Users are advised to update phpMyFAQ to version 4.1.2 or later, where this vulnerability has been patched.