Broken access control - Someone still can comment in unactive FAQ NEWS in thorsten/phpmyfaq

Valid

Reported on

Feb 13th 2023


Description

when a NEWS FAQ turns on the comments feature and disables post like this settings.

Screenshot >> https://imgur.com/a/9UY4QRf

if you create a FAQ news with those settings and view the post, you will notice that the comment section is disabled

Screenshot >> https://imgur.com/a/rY6zJt9

Proof of Concept

1.Open 2 Tab on your Browser
2.Tab A Visit some FAQ NEWS Then Fill All comment form
3.Tab B Open https://roy.demo.phpmyfaq.de/admin/?action=edit-news&id=1 (Link edit of A FAQ NEWS)
4.Tab B uncheck Activate and click edit news
5.Tab A send commend

Impact

comment still send in inactive FAQ NEWS

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. a year ago
thorsten/phpmyfaq maintainer has acknowledged this report a year ago
Thorsten Rinne gave praise a year ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
isdkrisna
a year ago

Researcher


Have you already done the settings as described in point 2 (uncheck "active" and check "allow comments")? Have you tried it on the demo website or Version 3.1.10?

Thorsten Rinne
a year ago

Maintainer


I tried 3.1.11, and yes, I tried it that way.

Thorsten Rinne validated this vulnerability a year ago

I could re-produce it now.

isdkrisna has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.12 with commit db77df a year ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has now been published a year ago
to join this conversation