Broken access control - Someone still can comment in unactive FAQ NEWS in thorsten/phpmyfaq
Valid
Reported on
Feb 13th 2023
Description
when a NEWS FAQ turns on the comments feature and disables post like this settings.
Screenshot >> https://imgur.com/a/9UY4QRf
if you create a FAQ news with those settings and view the post, you will notice that the comment section is disabled
Screenshot >> https://imgur.com/a/rY6zJt9
Proof of Concept
1.Open 2 Tab on your Browser
2.Tab A Visit some FAQ NEWS Then Fill All comment form
3.Tab B Open https://roy.demo.phpmyfaq.de/admin/?action=edit-news&id=1 (Link edit of A FAQ NEWS)
4.Tab B uncheck Activate and click edit news
5.Tab A send commend
Impact
comment still send in inactive FAQ NEWS
We are processing your report and will contact the
thorsten/phpmyfaq
team within 24 hours.
7 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Have you already done the settings as described in point 2 (uncheck "active" and check "allow comments")? Have you tried it on the demo website or Version 3.1.10?
I could re-produce it now.
isdkrisna
has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne
has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on
Mar 31st 2023
to join this conversation