CVE-2025-69200
phpMyFAQ has unauthenticated config backup download via /api/setup/backup
Description
### Summary An unauthenticated remote attacker can trigger generation of a configuration backup ZIP via `POST /api/setup/backup` and then download the generated ZIP from a web-accessible location. The ZIP contains sensitive configuration files (e.g., `database.php` with database credentials), leading to high-impact information disclosure and potential follow-on compromise. ### Details The endpoint `/api/setup/backup` is reachable via default rewrite rules and does not enforce authentication/authorization or API token verification. When called with any non-empty body (used as an “installed version” string), the server creates a ZIP archive inside the configuration directory and returns a direct URL to the generated ZIP file. Relevant code paths: - Rewrite rule exposing the endpoint: - `phpmyfaq/.htaccess`: `RewriteRule ^api/setup/(check|backup|update-database) api/index.php [L,QSA]` - Controller implementation: - `phpmyfaq/src/phpMyFAQ/Controller/Api/SetupController.php` → `backup()` - No call to `hasValidToken()`, `userIsAuthenticated()`, or any permission check - Backup creation: - `phpmyfaq/src/phpMyFAQ/Setup/Update.php` → `createConfigBackup()` - Writes the ZIP into the config directory and returns a public URL under `content/core/config/` ### PoC Replace `BASE_URL` with your instance URL. 1) Trigger config backup generation without authentication: ```bash BASE_URL="http://localhost" curl -i -X POST "${BASE_URL}/api/setup/backup" \ -H "Content-Type: text/plain" \ --data "4.1.0-RC" ``` Expected result: `200 OK` with JSON containing `backupFile`. 2) Copy the `backupFile` URL from the JSON response and download it (still without authentication): ```bash # Example (replace with the exact URL returned in step 1) curl -i "http://localhost/content/core/config/phpmyfaq-config-backup.YYYY-MM-DD.zip" -o phpmyfaq-config-backup.zip ``` 3) Verify sensitive content exists in the ZIP: ```bash unzip -l phpmyfaq-config-backup.zip unzip -p phpmyfaq-config-backup.zip database.php ``` Observed: `database.php` is included and contains DB host/user/password. ### Impact - Vulnerability class: Missing authentication/authorization for a sensitive function + sensitive information exposure. - Who is impacted: Any internet-exposed phpMyFAQ installation where the default `.htaccess` rewrite rules are active and the endpoint is reachable. - Security impact: Disclosure of configuration secrets (DB credentials, integration config, etc.), enabling follow-on attacks such as database takeover and data exfiltration.
How to fix CVE-2025-69200
To remediate CVE-2025-69200, upgrade the affected package to a fixed version below.