Brahim-Fouad

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions 4.0.16 and below **Description** A logged-in user without the necessary permission can download FAQ attachments. This is due to an incorrect permission check in the `attachment.php` file, where the presence of a permission key is incorrectly treated as authorization. The group and user permission logic also contains a flawed conditional expression that can allow unauthorized access. The **API endpoint** used for attachment download is `/index.php?action=attachment&id=1`. The vulnerable parameter is `id`. The flawed logic involves the expression `($groupPermission || ($groupPermission && $userPermission)) && isset($permission['dlattachment'])`, where `isset()` incorrectly validates the permission. **Recommendations** Versions prior to 4.0.17 should be updated.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions 4.0.14 through 4.0.16 **Description** phpMyFAQ is a web-based FAQ application. A flaw in authorization logic exists in versions 4.0.14 and below, exposing the `/api/setup/backup` API endpoint to any authenticated user, regardless of their permissions. The `SetupController.php` file uses `userIsAuthenticated()` but does not verify if the user has the necessary configuration or administrative permissions. This allows non-admin users to initiate a configuration backup and obtain its file path. The endpoint only validates authentication, not authorization, and provides a link to the created ZIP archive. Exploitation involves logging in as a non-admin user and calling the backup endpoint. This can lead to the generation of sensitive backups, potentially exposing secrets if the ZIP file is accessible via the web server. **Recommendations** Versions 4.0.14 through 4.0.16 should be updated to version 4.0.17 or later.

**Name of the Vulnerable Software and Affected Versions** phpMyFAQ versions 3.0 (affected versions not specified) **Description** Several public API endpoints disclose email addresses and non-public records, such as questions marked as invisible. The `OpenQuestionController::list()` function calls `Question::getAll()` with the default `showAll=true` setting, resulting in the exposure of invisible questions and associated email addresses. Similar issues exist in the comment, news, and FAQ APIs. An attacker can use a simple `curl` command to retrieve this information from the API endpoint. This can lead to privacy exposure, increasing the risk of phishing and data scraping. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.