GHSA-RM98-82FR-MCFX

Vulnerability from github – Published: 2026-05-06 20:24 – Updated: 2026-05-06 20:24
VLAI?
Summary
phpMyFAQ's Missing CONFIGURATION_EDIT Permission Check on 12 Admin API Configuration Tab Endpoints Allows Information Disclosure by Any Authenticated User
Details

Summary

12 endpoints in ConfigurationTabController.php use userIsAuthenticated() (login-only check) instead of userHasPermission(PermissionType::CONFIGURATION_EDIT). This allows any authenticated user — including ones with zero admin permissions — to enumerate system configuration metadata including the permission model, active template, cache backend, mail provider, and translation provider.

Details

The ConfigurationTabController contains 15 public endpoints. Three of them (list, save, uploadTheme) correctly enforce CONFIGURATION_EDIT permission:

// phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/ConfigurationTabController.php:63
public function list(Request $request): Response
{
    $this->userHasPermission(PermissionType::CONFIGURATION_EDIT); // ✅ Correct
    // ...
}

The remaining 12 only check that the user is logged in:

// phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/ConfigurationTabController.php:353
public function translations(): Response
{
    $this->userIsAuthenticated(); // ❌ Missing permission check
    // ...
}

The difference between these two methods is significant:

// AbstractController.php:258 — login-only
protected function userIsAuthenticated(): void
{
    if (!$this->currentUser->isLoggedIn()) {
        throw new UnauthorizedHttpException(challenge: 'User is not authenticated.');
    }
}

// AbstractController.php:317 — login + permission check
protected function userHasPermission(PermissionType $permissionType): void
{
    if (!$this->currentUser->isLoggedIn()) {
        throw new UnauthorizedHttpException(challenge: 'User is not authenticated.');
    }
    $currentUser = $this->currentUser;
    if (!$currentUser?->perm->hasPermission($currentUser->getUserId(), $permissionType->value)) {
        throw new ForbiddenException(/* ... */);
    }
}

There is no middleware or router-level authorization — the Kernel (Kernel.php) dispatches directly to controllers with only Language, Router, and Exception listeners. All authorization is at the controller method level.

The 12 affected endpoints (all GET, all under /admin/api/):

# Method Route Info Exposed
1 translations() /configuration/translations Available languages + current language
2 templates() /configuration/templates Available themes + active theme
3 faqsSortingKey() /configuration/faqs-sorting-key/{current} FAQ sorting key options
4 faqsSortingOrder() /configuration/faqs-sorting-order/{current} FAQ sorting order
5 faqsSortingPopular() /configuration/faqs-sorting-popular/{current} Popular FAQ sorting
6 permLevel() /configuration/perm-level/{current} Permission model (basic/medium)
7 releaseEnvironment() /configuration/release-environment/{current} Dev/production environment
8 searchRelevance() /configuration/search-relevance/{current} Search relevance config
9 seoMetaTags() /configuration/seo-metatags/{current} SEO meta tag config
10 translationProvider() /configuration/translation-provider/{current} Translation service (DeepL, etc.)
11 mailProvider() /configuration/mail-provider/{current} Mail provider (SMTP, etc.)
12 cacheAdapter() /configuration/cache-adapter/{current} Cache backend (filesystem/redis/memcached)

The translations() and templates() endpoints directly read from config/filesystem and expose current settings. The {current} endpoints render HTML <option> dropdowns where the caller-supplied value gets the selected attribute — an attacker can enumerate possible values to discover the current configuration.

PoC

# Step 1: Authenticate as any user (even one with no admin permissions)
# and obtain the session cookie (pmf_auth_XXXX)

# Step 2: Query configuration endpoints that should require CONFIGURATION_EDIT permission

# Enumerate available languages and current language setting
curl -s -b 'pmf_auth_XXXX=<session>' \
  https://target.example/admin/api/configuration/translations

# Enumerate available templates and which is active
curl -s -b 'pmf_auth_XXXX=<session>' \
  https://target.example/admin/api/configuration/templates

# Discover permission model by trying known values
curl -s -b 'pmf_auth_XXXX=<session>' \
  https://target.example/admin/api/configuration/perm-level/basic

# Discover release environment
curl -s -b 'pmf_auth_XXXX=<session>' \
  https://target.example/admin/api/configuration/release-environment/development

# Discover cache backend
curl -s -b 'pmf_auth_XXXX=<session>' \
  https://target.example/admin/api/configuration/cache-adapter/filesystem

# Discover mail provider
curl -s -b 'pmf_auth_XXXX=<session>' \
  https://target.example/admin/api/configuration/mail-provider/smtp

# Discover translation provider
curl -s -b 'pmf_auth_XXXX=<session>' \
  https://target.example/admin/api/configuration/translation-provider/deepl

Expected: HTTP 403 Forbidden for a user without configuration_edit permission. Actual: HTTP 200 with configuration data in HTML option format.

Impact

Any authenticated user (e.g., a regular FAQ contributor or a user with minimal permissions) can enumerate:

  • The instance's permission model (basic vs. medium) — reveals access control architecture
  • Whether the instance runs in development or production mode — development mode may expose debug info
  • The cache backend (filesystem/redis/memcached) — useful for targeting cache-specific attacks
  • The mail provider configuration — reveals infrastructure details
  • Available and active templates/themes — aids in targeting template-specific vulnerabilities
  • Translation provider (e.g., DeepL) — reveals third-party service integrations

While no credentials or secrets are directly exposed, this configuration metadata aids targeted follow-up attacks and violates the principle of least privilege — these endpoints exist to serve the admin configuration UI and should require the same CONFIGURATION_EDIT permission as the list and save endpoints.

Recommended Fix

Replace $this->userIsAuthenticated() with $this->userHasPermission(PermissionType::CONFIGURATION_EDIT) in all 12 affected methods:

// In ConfigurationTabController.php — apply to all 12 methods
// Before (line 355, and equivalent in all others):
$this->userIsAuthenticated();

// After:
$this->userHasPermission(PermissionType::CONFIGURATION_EDIT);

Affected methods: translations(), templates(), faqsSortingKey(), faqsSortingOrder(), faqsSortingPopular(), permLevel(), releaseEnvironment(), searchRelevance(), seoMetaTags(), translationProvider(), mailProvider(), cacheAdapter().

Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.1.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "thorsten/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.1.1"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "phpmyfaq/phpmyfaq"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T20:24:39Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\n12 endpoints in `ConfigurationTabController.php` use `userIsAuthenticated()` (login-only check) instead of `userHasPermission(PermissionType::CONFIGURATION_EDIT)`. This allows any authenticated user \u2014 including ones with zero admin permissions \u2014 to enumerate system configuration metadata including the permission model, active template, cache backend, mail provider, and translation provider.\n\n## Details\n\nThe `ConfigurationTabController` contains 15 public endpoints. Three of them (`list`, `save`, `uploadTheme`) correctly enforce `CONFIGURATION_EDIT` permission:\n\n```php\n// phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/ConfigurationTabController.php:63\npublic function list(Request $request): Response\n{\n    $this-\u003euserHasPermission(PermissionType::CONFIGURATION_EDIT); // \u2705 Correct\n    // ...\n}\n```\n\nThe remaining 12 only check that the user is logged in:\n\n```php\n// phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/ConfigurationTabController.php:353\npublic function translations(): Response\n{\n    $this-\u003euserIsAuthenticated(); // \u274c Missing permission check\n    // ...\n}\n```\n\nThe difference between these two methods is significant:\n\n```php\n// AbstractController.php:258 \u2014 login-only\nprotected function userIsAuthenticated(): void\n{\n    if (!$this-\u003ecurrentUser-\u003eisLoggedIn()) {\n        throw new UnauthorizedHttpException(challenge: \u0027User is not authenticated.\u0027);\n    }\n}\n\n// AbstractController.php:317 \u2014 login + permission check\nprotected function userHasPermission(PermissionType $permissionType): void\n{\n    if (!$this-\u003ecurrentUser-\u003eisLoggedIn()) {\n        throw new UnauthorizedHttpException(challenge: \u0027User is not authenticated.\u0027);\n    }\n    $currentUser = $this-\u003ecurrentUser;\n    if (!$currentUser?-\u003eperm-\u003ehasPermission($currentUser-\u003egetUserId(), $permissionType-\u003evalue)) {\n        throw new ForbiddenException(/* ... */);\n    }\n}\n```\n\nThere is no middleware or router-level authorization \u2014 the Kernel (`Kernel.php`) dispatches directly to controllers with only Language, Router, and Exception listeners. All authorization is at the controller method level.\n\nThe 12 affected endpoints (all GET, all under `/admin/api/`):\n\n| # | Method | Route | Info Exposed |\n|---|--------|-------|-------------|\n| 1 | `translations()` | `/configuration/translations` | Available languages + current language |\n| 2 | `templates()` | `/configuration/templates` | Available themes + active theme |\n| 3 | `faqsSortingKey()` | `/configuration/faqs-sorting-key/{current}` | FAQ sorting key options |\n| 4 | `faqsSortingOrder()` | `/configuration/faqs-sorting-order/{current}` | FAQ sorting order |\n| 5 | `faqsSortingPopular()` | `/configuration/faqs-sorting-popular/{current}` | Popular FAQ sorting |\n| 6 | `permLevel()` | `/configuration/perm-level/{current}` | Permission model (basic/medium) |\n| 7 | `releaseEnvironment()` | `/configuration/release-environment/{current}` | Dev/production environment |\n| 8 | `searchRelevance()` | `/configuration/search-relevance/{current}` | Search relevance config |\n| 9 | `seoMetaTags()` | `/configuration/seo-metatags/{current}` | SEO meta tag config |\n| 10 | `translationProvider()` | `/configuration/translation-provider/{current}` | Translation service (DeepL, etc.) |\n| 11 | `mailProvider()` | `/configuration/mail-provider/{current}` | Mail provider (SMTP, etc.) |\n| 12 | `cacheAdapter()` | `/configuration/cache-adapter/{current}` | Cache backend (filesystem/redis/memcached) |\n\nThe `translations()` and `templates()` endpoints directly read from config/filesystem and expose current settings. The `{current}` endpoints render HTML `\u003coption\u003e` dropdowns where the caller-supplied value gets the `selected` attribute \u2014 an attacker can enumerate possible values to discover the current configuration.\n\n## PoC\n\n```bash\n# Step 1: Authenticate as any user (even one with no admin permissions)\n# and obtain the session cookie (pmf_auth_XXXX)\n\n# Step 2: Query configuration endpoints that should require CONFIGURATION_EDIT permission\n\n# Enumerate available languages and current language setting\ncurl -s -b \u0027pmf_auth_XXXX=\u003csession\u003e\u0027 \\\n  https://target.example/admin/api/configuration/translations\n\n# Enumerate available templates and which is active\ncurl -s -b \u0027pmf_auth_XXXX=\u003csession\u003e\u0027 \\\n  https://target.example/admin/api/configuration/templates\n\n# Discover permission model by trying known values\ncurl -s -b \u0027pmf_auth_XXXX=\u003csession\u003e\u0027 \\\n  https://target.example/admin/api/configuration/perm-level/basic\n\n# Discover release environment\ncurl -s -b \u0027pmf_auth_XXXX=\u003csession\u003e\u0027 \\\n  https://target.example/admin/api/configuration/release-environment/development\n\n# Discover cache backend\ncurl -s -b \u0027pmf_auth_XXXX=\u003csession\u003e\u0027 \\\n  https://target.example/admin/api/configuration/cache-adapter/filesystem\n\n# Discover mail provider\ncurl -s -b \u0027pmf_auth_XXXX=\u003csession\u003e\u0027 \\\n  https://target.example/admin/api/configuration/mail-provider/smtp\n\n# Discover translation provider\ncurl -s -b \u0027pmf_auth_XXXX=\u003csession\u003e\u0027 \\\n  https://target.example/admin/api/configuration/translation-provider/deepl\n```\n\nExpected: HTTP 403 Forbidden for a user without `configuration_edit` permission.\nActual: HTTP 200 with configuration data in HTML option format.\n\n## Impact\n\nAny authenticated user (e.g., a regular FAQ contributor or a user with minimal permissions) can enumerate:\n\n- The instance\u0027s permission model (basic vs. medium) \u2014 reveals access control architecture\n- Whether the instance runs in development or production mode \u2014 development mode may expose debug info\n- The cache backend (filesystem/redis/memcached) \u2014 useful for targeting cache-specific attacks\n- The mail provider configuration \u2014 reveals infrastructure details\n- Available and active templates/themes \u2014 aids in targeting template-specific vulnerabilities\n- Translation provider (e.g., DeepL) \u2014 reveals third-party service integrations\n\nWhile no credentials or secrets are directly exposed, this configuration metadata aids targeted follow-up attacks and violates the principle of least privilege \u2014 these endpoints exist to serve the admin configuration UI and should require the same `CONFIGURATION_EDIT` permission as the `list` and `save` endpoints.\n\n## Recommended Fix\n\nReplace `$this-\u003euserIsAuthenticated()` with `$this-\u003euserHasPermission(PermissionType::CONFIGURATION_EDIT)` in all 12 affected methods:\n\n```php\n// In ConfigurationTabController.php \u2014 apply to all 12 methods\n// Before (line 355, and equivalent in all others):\n$this-\u003euserIsAuthenticated();\n\n// After:\n$this-\u003euserHasPermission(PermissionType::CONFIGURATION_EDIT);\n```\n\nAffected methods: `translations()`, `templates()`, `faqsSortingKey()`, `faqsSortingOrder()`, `faqsSortingPopular()`, `permLevel()`, `releaseEnvironment()`, `searchRelevance()`, `seoMetaTags()`, `translationProvider()`, `mailProvider()`, `cacheAdapter()`.",
  "id": "GHSA-rm98-82fr-mcfx",
  "modified": "2026-05-06T20:24:39Z",
  "published": "2026-05-06T20:24:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-rm98-82fr-mcfx"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/thorsten/phpMyFAQ"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "phpMyFAQ\u0027s Missing CONFIGURATION_EDIT Permission Check on 12 Admin API Configuration Tab Endpoints Allows Information Disclosure by Any Authenticated User"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.