phpMyFAQ Unauthenticated SQL Injection Vulnerability in Captcha API

A critical SQL injection vulnerability has been identified in phpMyFAQ versions prior to 4.1.2. The issue resides in the BuiltinCaptcha class, specifically within the garbageCollector and saveCaptcha methods. These methods improperly handle User-Agent headers, incorporating them into SQL DELETE and INSERT queries without proper sanitization. This vulnerability is exploitable through the public GET /api/captcha endpoint, allowing unauthenticated attackers to execute time-based blind SQL injection. Exploitation of this vulnerability could lead to the extraction of sensitive information from the database, including user credentials, admin tokens, and SMTP credentials.

Impact

Exploitation of this vulnerability allows for unauthenticated remote SQL injection, with the potential to read sensitive data such as user credential hashes, admin tokens, and SMTP credentials. Additionally, it enables unauthorized modification or deletion of database records.

Reproduction

To reproduce this vulnerability, send a GET request to the /api/captcha endpoint with a crafted User-Agent header that includes a SQL injection payload. The injection can be verified by using time-based SQL injection techniques, such as the SLEEP() function, to observe delayed response times.

Remediation

Users are advised to update phpMyFAQ to version 4.1.2 or later, where this vulnerability has been patched.