Broken access control - Someone still can comment in unactive FAQ NEWS in thorsten/phpmyfaq

Valid

Reported on

Feb 13th 2023

Description

when a NEWS FAQ turns on the comments feature and disables post like this settings.

Screenshot >> https://imgur.com/a/9UY4QRf

if you create a FAQ news with those settings and view the post, you will notice that the comment section is disabled

Screenshot >> https://imgur.com/a/rY6zJt9

Proof of Concept

1.Open 2 Tab on your Browser
2.Tab A Visit some FAQ NEWS Then Fill All comment form
3.Tab B Open https://roy.demo.phpmyfaq.de/admin/?action=edit-news&id=1 (Link edit of A FAQ NEWS)
4.Tab B uncheck Activate and click edit news
5.Tab A send commend

Impact

comment still send in inactive FAQ NEWS

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 2 months ago
thorsten/phpmyfaq maintainer has acknowledged this report 2 months ago
Thorsten Rinne gave praise 2 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
isdkrisna
2 months ago

Researcher

Have you already done the settings as described in point 2 (uncheck "active" and check "allow comments")? Have you tried it on the demo website or Version 3.1.10?

Thorsten Rinne
2 months ago

Maintainer

I tried 3.1.11, and yes, I tried it that way.

Thorsten Rinne validated this vulnerability 2 months ago

I could re-produce it now.

isdkrisna has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.12 with commit db77df 2 months ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Mar 31st 2023
Thorsten Rinne published this vulnerability 18 hours ago
to join this conversation