12 endpoints in ConfigurationTabController.php use userIsAuthenticated() (login-only check) instead of userHasPermission(PermissionType::CONFIGURATION_EDIT). This allows any authenticated user — including ones with zero admin permissions — to enumerate system configuration metadata including the permission model, active template, cache backend, mail provider, and translation provider.
The ConfigurationTabController contains 15 public endpoints. Three of them (list, save, uploadTheme) correctly enforce CONFIGURATION_EDIT permission:
// phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/ConfigurationTabController.php:63
public function list(Request $request): Response
{
$this->userHasPermission(PermissionType::CONFIGURATION_EDIT); // ✅ Correct
// ...
}
The remaining 12 only check that the user is logged in:
// phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/ConfigurationTabController.php:353
public function translations(): Response
{
$this->userIsAuthenticated(); // ❌ Missing permission check
// ...
}
The difference between these two methods is significant:
// AbstractController.php:258 — login-only
protected function userIsAuthenticated(): void
{
if (!$this->currentUser->isLoggedIn()) {
throw new UnauthorizedHttpException(challenge: 'User is not authenticated.');
}
}
// AbstractController.php:317 — login + permission check
protected function userHasPermission(PermissionType $permissionType): void
{
if (!$this->currentUser->isLoggedIn()) {
throw new UnauthorizedHttpException(challenge: 'User is not authenticated.');
}
$currentUser = $this->currentUser;
if (!$currentUser?->perm->hasPermission($currentUser->getUserId(), $permissionType->value)) {
throw new ForbiddenException(/* ... */);
}
}
There is no middleware or router-level authorization — the Kernel (Kernel.php) dispatches directly to controllers with only...
4.1.24.1.2Exploitability
AV:NAC:LPR:LUI:NScope
S:UImpact
C:LI:NA:N4.3/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N