phpMyFAQ Information Disclosure Vulnerability in FAQ Solution ID Handling

A permission bypass vulnerability allowing information disclosure has been identified in phpMyFAQ versions prior to 4.1.2. The issue resides in the 'getIdFromSolutionId()' method, which lacks proper permission filtering. This flaw enables unauthenticated attackers to enumerate restricted FAQ entries and access their titles through the '/solution_id_{id}.html' endpoint. By sequentially iterating solution IDs, attackers can uncover all FAQs, including those limited to specific users or groups. The vulnerability leaks sensitive metadata via redirect Location headers and canonical links on the accessed pages.

Impact

Exploitation of this vulnerability allows unauthorized users to access and read the titles of restricted FAQ entries, potentially revealing sensitive information depending on the content of the FAQs. In environments where phpMyFAQ is used to manage confidential information, this could lead to unintended disclosure of private topics.

Reproduction

To reproduce this vulnerability, send an unauthenticated GET request to the '/solution_id_{id}.html' endpoint, replacing '{id}' with a solution ID known to be restricted. The server will respond with a 301 redirect to the corresponding FAQ content page. The redirect's Location header and the canonical link on the page will disclose the title and other metadata of the FAQ, including those restricted to specific users or groups. This process can be automated by iterating through a range of solution IDs and recording the responses.

Remediation

Users are advised to update phpMyFAQ to version 4.1.2 or later, where this vulnerability has been patched.