It’s been a month since our disclosure of a low-severity vulnerability affecting Akeeba Backup version 3.11.4, which allowed an attacker to list and download backups from a target website using the extension’s JSON API. As promised, here’s the technical details describing how it was possible for us to send valid requests to the API and download our test website’s database and file backups.
Getting to Know the Code’s Structure
Here’s where the main event takes place. Note that $request->body contains our decrypted JSON payload. This will be useful later on: