Summary
Authenticated non‑admin users can call /api/setup/backup and trigger a configuration backup. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP.
Details
SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. This allows any logged‑in user to create a sensitive backup and retrieve its path.
PoC
Precondition: API enabled, any authenticated non‑admin user.
- Log in as a non‑admin user.
- Call backup endpoint.
curl -c /tmp/pmf_api_cookies.txt \
-H 'Content-Type: application/json' \
-d '{"username":"tester","password":"Test1234!"}' \
http://192.168.40.16/phpmyfaq/api/v3.0/login
curl -i -b /tmp/pmf_api_cookies.txt \
-X POST --data '4.0.16' \
http://192.168.40.16/phpmyfaq/api/setup/backup
Impact
Low‑privileged users can generate sensitive backups. If the ZIP is web‑accessible (server misconfiguration), this can lead to secret exposure.
Brahim-Fouad Reporter
Summary
Authenticated non‑admin users can call /api/setup/backup and trigger a configuration backup. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP.
Details
SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. This allows any logged‑in user to create a sensitive backup and retrieve its path.
PoC
Precondition: API enabled, any authenticated non‑admin user.
Impact
Low‑privileged users can generate sensitive backups. If the ZIP is web‑accessible (server misconfiguration), this can lead to secret exposure.