PT-2026-41491 · Packagist · Phpmyfaq/Phpmyfaq+1
Published
2026-05-06
·
Updated
2026-05-06
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H |
Summary
Client::deleteClientFolder() in phpmyfaq/src/phpMyFAQ/Instance/Client.php:583 takes a URL from the caller, strips the https:// prefix, and passes the remainder to Filesystem::deleteDirectory() relative to the multisite clientFolder. No path-traversal validation runs. An admin with the INSTANCE DELETE permission (a role short of SUPER ADMIN) submits https://../../../<path> as the client URL and the server recursively deletes arbitrary directories under the web user's rights. Same pattern and reachability as GHSA-38m8-xrfj-v38x, which the project accepted at High severity three weeks earlier.Details
phpmyfaq/src/phpMyFAQ/Instance/Client.php:583-591:php
public function deleteClientFolder(string $sourceUrl): bool
{
if (!$this->isMultiSiteWriteable()) {
return false;
}
$sourcePath = str replace(search: 'https://', replace: '', subject: $sourceUrl);
return $this->filesystem->deleteDirectory($this->clientFolder . $sourcePath);
}str replace strips the scheme but does nothing about ../ segments. The concatenation $this->clientFolder . $sourcePath directly feeds the filesystem call, which traverses above clientFolder without complaint.Callers feed the URL from the HTTP request body:
phpmyfaq/src/phpMyFAQ/Controller/Administration/Api/InstanceController.php:184:php
if (1 !== $instanceId && $client->deleteClientFolder($clientData->url) && $client->delete($instanceId)) {$clientData->url comes from json decode($request->getContent()). The route is admin.api.instance.delete, gated by INSTANCE DELETE. The controller does not validate the URL against a scheme list or canonicalize the path before handing it to deleteClientFolder().InstanceController.php:144 (edit path) and Controller/Administration/InstanceController.php:151 (form path) both reach the same sink through different entry points.Precedent
GHSA-38m8-xrfj-v38x (2026-03-31) disclosed the identical bug class in
MediaBrowserController::index(): an admin-gated API endpoint concatenates a user-supplied filename to a base directory without traversal validation. phpMyFAQ accepted that report at High severity. The present finding is the same root cause in a different controller; the project's INSTANCE ADD / INSTANCE DELETE permission is a granular admin right, not SUPER ADMIN, so a lower-tier admin can reach the sink.Proof of Concept
Prerequisites: a phpMyFAQ 4.2.x instance with the multisite subsystem bootstrapped (there must be a non-primary instance present for the delete controller branch to fire). Alice is an admin with
INSTANCE ADD and INSTANCE DELETE rights, no SUPER ADMIN flag.Step 1: Alice authenticates and retrieves the CSRF token for the instance admin page.
Step 2: Alice creates an instance whose
url encodes a traversal payload. The create path at InstanceController.php:144 already concatenates to the clientFolder through the same deleteClientFolder('https://' . $hostname) call:bash
curl -sS -b "$ALICE COOKIE" -X POST "$BASE/admin/api/instance"
-H "Content-Type: application/json" -H "x-csrf-token: $CSRF"
-d '{"url":"https://../../../tmp/pmf-poc/","instance":"poc","comment":"poc","email":"a@b","admin":"alice","password":"poc1234!"}'Step 3: Alice deletes the instance. The request body names the instance id to delete; the controller hands
clientData->url directly to deleteClientFolder:bash
curl -sS -b "$ALICE COOKIE" -X POST "$BASE/admin/api/instance/2"
-H "Content-Type: application/json" -H "x-csrf-token: $CSRF"
-d '{"url":"https://../../../tmp/pmf-poc/"}'The server computes
$sourcePath = '../../../tmp/pmf-poc/', concatenates to <clientFolder>/, and recursively deletes the resulting path.Live verification was not attempted against the test instance because the INSTANCE DELETE path requires the multisite/ subsystem to be bootstrapped with at least one non-primary instance; see
InstanceController.php:184. The code path is unambiguous and the precedent GHSA confirmed the same admin gating was considered in-scope.Impact
Any phpMyFAQ admin holding
INSTANCE ADD + INSTANCE DELETE but not SUPER ADMIN can delete arbitrary directories writable by the PHP process. Outcomes:- Destroy other tenants' data on a shared multisite deployment by traversing above the
clientFolderinto peer directories. - Delete phpMyFAQ's own
content/,config/, or cache directories and lock the install out. - On a hosted deployment, overwrite or delete files anywhere under the web user's reach, including customer uploads outside phpMyFAQ.
phpMyFAQ's permission model gives
INSTANCE ADD / INSTANCE DELETE as a role that a hosting operator may delegate to a subordinate admin without granting SUPER ADMIN. That delegation is now a direct path-traversal-delete primitive.Recommended Fix
Canonicalize and validate the URL before forming the filesystem path.
phpmyfaq/src/phpMyFAQ/Instance/Client.php:583:php
public function deleteClientFolder(string $sourceUrl): bool
{
if (!$this->isMultiSiteWriteable()) {
return false;
}
$parsed = parse url($sourceUrl);
if (!is array($parsed) || !isset($parsed['host']) || ($parsed['scheme'] ?? '') !== 'https') {
return false;
}
$host = $parsed['host'];
if (!preg match('/^[a-z0-9][a-z0-9.-]*$/i', $host)) {
return false;
}
$target = realpath($this->clientFolder . $host);
$root = realpath($this->clientFolder);
if ($target === false || $root === false || !str starts with($target, $root . DIRECTORY SEPARATOR)) {
return false;
}
return $this->filesystem->deleteDirectory($target);
}parse url rejects malformed inputs, the regex pins the host to valid DNS characters (no /, no ..), and the realpath check ensures the resolved target lives under clientFolder. Apply the same canonicalization at the controller layer (InstanceController::add, ::update, ::delete) so the URL is validated before every call that touches the filesystem.Found by aisafe.io
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Phpmyfaq/Phpmyfaq
Thorsten/Phpmyfaq