phpMyFAQ Authentication Bypass Allows Account Takeover

A critical authentication bypass vulnerability exists in phpMyFAQ versions prior to 4.1.3. This flaw allows an unauthenticated attacker to reset the password of any user account, including those with SuperAdmin privileges. The vulnerability stems from the lack of proper password reset token verification, rate limiting, and email confirmation in the /api/user/password/update endpoint. By crafting a simple PUT request containing a valid username and associated email address, an attacker can trigger the system to generate a new plaintext password and transmit it to the user’s email address, effectively granting them complete control over the targeted account. This poses a significant risk to organizations using phpMyFAQ for knowledge management and support purposes.

Attack Chain

1. The attacker identifies a target phpMyFAQ instance.
2. The attacker sends a PUT request to /phpmyfaq/api/user/password/update with a valid username and incorrect email address to determine if the username exists (username enumeration).
3. If the response indicates the username exists, the attacker sends another PUT request to /phpmyfaq/api/user/password/update with the valid username and associated email address in the JSON body.
4. The phpMyFAQ application, lacking proper authentication, processes the request without requiring any token verification, rate limiting, or email confirmation.
5. The application generates a new plaintext password for the specified user account.
6. The application sends the new plaintext password to the user’s email address.
7. The attacker intercepts the email containing the new password.
8. The attacker uses the new password to log in to the phpMyFAQ application and take complete control of the account.

Impact

Successful exploitation of this vulnerability allows an attacker to gain full administrative access to a phpMyFAQ installation. This includes the ability to access and modify sensitive information, such as user data and FAQ content. An attacker can also lock out legitimate users, disrupt service availability, and potentially use the compromised system as a platform for further malicious activities. All phpMyFAQ administrators and end-users are potentially impacted, especially those using default installations. The attack has very low complexity, requiring no special knowledge beyond identifying a valid username and associated email address.

Recommendation

• Upgrade phpMyFAQ to version 4.1.3 or later to patch the vulnerability as detailed in GHSA-w9xh-5f39-vq89.
• Deploy the Sigma rule Detect phpMyFAQ Password Reset Exploit to identify potential exploitation attempts in web server logs.
• Implement rate limiting on the /api/user/password/update endpoint to prevent username/email enumeration attacks.