PT-2026-41491 · Packagist · Phpmyfaq/Phpmyfaq+1
Publicado
2026-05-06
·
Atualizado
2026-05-06
CVSS v3.1
6.5
Média
| Vetor | AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
Summary
Client::deleteClientFolder() in phpmyfaq/src/phpMyFAQ/Instance/Client.php:583 takes a URL from the caller, strips the https:// prefix, and passes the remainder to Filesystem::deleteDirectory() relative to the multisite clientFolder. No path-traversal validation runs. An admin with the INSTANCE DELETE permission (a role short of SUPER ADMIN) submits https://../../../<path> as the client URL and the server recursively deletes arbitrary directories under the web user's rights. Same pattern and reachability as GHSA-38m8-xrfj-v38x, which the project accepted at High severity three weeks earlier.Details
phpmyfaq/src/phpMyFAQ/Instance/Client.php:583-591:php
public function deleteClientFolder(string $sourceUrl): bool
{
if (!$this->isMultiSiteWriteable()) {
return false;
}
$sourcePath = str replace(search: 'https://', replace: '', subject: $sourceUrl);
return $this->filesystem->deleteDirectory($this->clientFolder . $sourcePath);
}str replace strips the scheme but does nothing about ../ segments. The concatenation $this->clientFolder . $sourcePath directly feeds the filesystem call, which traverses above clientFolder without complaint.Callers feed the URL from the HTTP request body:
phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/InstanceController.php:184:php
if (1 !== $instanceId && $client->deleteClientFolder($clientData->url) && $client->delete($instanceId)) {$clientData->url comes from json decode($request->getContent()). The route is admin.api.instance.delete, gated by INSTANCE DELETE. The controller does not validate the URL against a scheme list or canonicalize the path before handing it to deleteClientFolder().InstanceController.php:144 (edit path) and Controller/Administration/InstanceController.php:151 (form path) both reach the same sink through different entry points.Precedent
GHSA-38m8-xrfj-v38x (2026-03-31) disclosed the identical bug class in
MediaBrowserController::index(): an admin-gated API endpoint concatenates a user-supplied filename to a base directory without traversal validation. phpMyFAQ accepted that report at High severity. The present finding is the same root cause in a different controller; the project's INSTANCE ADD / INSTANCE DELETE permission is a granular admin right, not SUPER ADMIN, so a lower-tier admin can reach the sink.Proof of Concept
Prerequisites: a phpMyFAQ 4.2.x instance with the multisite subsystem bootstrapped (there must be a non-primary instance present for the delete controller branch to fire). Alice is an admin with
INSTANCE ADD and INSTANCE DELETE rights, no SUPER ADMIN flag.Step 1: Alice authenticates and retrieves the CSRF token for the instance admin page.
Step 2: Alice creates an instance whose
url encodes a traversal payload. The create path at InstanceController.php:144 already concatenates to the clientFolder through the same deleteClientFolder('https://' . $hostname) call:bash
curl -sS -b "$ALICE COOKIE" -X POST "$BASE/admin/api/instance"
-H "Content-Type: application/json" -H "x-csrf-token: $CSRF"
-d '{"url":"https://../../../tmp/pmf-poc/","instance":"poc","comment":"poc","email":"a@b","admin":"alice","password":"poc1234!"}'Step 3: Alice deletes the instance. The request body names the instance id to delete; the controller hands
clientData->url directly to deleteClientFolder:bash
curl -sS -b "$ALICE COOKIE" -X POST "$BASE/admin/api/instance/2"
-H "Content-Type: application/json" -H "x-csrf-token: $CSRF"
-d '{"url":"https://../../../tmp/pmf-poc/"}'The server computes
$sourcePath = '../../../tmp/pmf-poc/', concatenates to <clientFolder>/, and recursively deletes the resulting path.Live verification was not attempted against the test instance because the INSTANCE DELETE path requires the multisite/ subsystem to be bootstrapped with at least one non-primary instance; see
InstanceController.php:184. The code path is unambiguous and the precedent GHSA confirmed the same admin gating was considered in-scope.Impact
Any phpMyFAQ admin holding
INSTANCE ADD + INSTANCE DELETE but not SUPER ADMIN can delete arbitrary directories writable by the PHP process. Outcomes:- Destroy other tenants' data on a shared multisite deployment by traversing above the
clientFolderinto peer directories. - Delete phpMyFAQ's own
content/,config/, or cache directories and lock the install out. - On a hosted deployment, overwrite or delete files anywhere under the web user's reach, including customer uploads outside phpMyFAQ.
phpMyFAQ's permission model gives
INSTANCE ADD / INSTANCE DELETE as a role that a hosting operator may delegate to a subordinate admin without granting SUPER ADMIN. That delegation is now a direct path-traversal-delete primitive.Recommended Fix
Canonicalize and validate the URL before forming the filesystem path.
phpmyfaq/src/phpMyFAQ/Instance/Client.php:583:php
public function deleteClientFolder(string $sourceUrl): bool
{
if (!$this->isMultiSiteWriteable()) {
return false;
}
$parsed = parse url($sourceUrl);
if (!is array($parsed) || !isset($parsed['host']) || ($parsed['scheme'] ?? '') !== 'https') {
return false;
}
$host = $parsed['host'];
if (!preg match('/^[a-z0-9][a-z0-9.-]*$/i', $host)) {
return false;
}
$target = realpath($this->clientFolder . $host);
$root = realpath($this->clientFolder);
if ($target === false || $root === false || !str starts with($target, $root . DIRECTORY SEPARATOR)) {
return false;
}
return $this->filesystem->deleteDirectory($target);
}parse url rejects malformed inputs, the regex pins the host to valid DNS characters (no /, no ..), and the realpath check ensures the resolved target lives under clientFolder. Apply the same canonicalization at the controller layer (InstanceController::add, ::update, ::delete) so the URL is validated before every call that touches the filesystem.Found by aisafe.io
Correção
Path traversal
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Phpmyfaq/Phpmyfaq
Thorsten/Phpmyfaq