phpMyFAQ Authorization Bypass Vulnerability in Admin Pages

An authorization bypass vulnerability has been identified in phpMyFAQ versions prior to 4.1.2. The issue resides in the AbstractAdministrationController's userHasPermission() method, which fails to terminate execution after sending a forbidden response. This flaw allows authenticated users to access all permission-protected admin pages by simply requesting their URLs. As a result, sensitive information such as admin logs, user data, system details, and application configuration can be exposed.

Impact

Exploitation of this vulnerability allows any authenticated admin user to access all permission-protected admin pages, regardless of their actual permissions. This includes sensitive data such as admin logs, user management information, system details, application configuration, and backup data.

Reproduction

To reproduce this vulnerability, create a test admin user with minimal permissions. After logging in as this user, request a permission-protected admin page, such as the admin log or system information page. The response will include both the forbidden page HTML and the full protected page content, appended together.

Remediation

Users can upgrade to phpMyFAQ version 4.1.2 or later, where this vulnerability has been patched.