phpMyFAQ Path Traversal Vulnerability in Media Browser Controller Allows Arbitrary File Deletion

A path traversal vulnerability has been identified in phpMyFAQ versions prior to 4.1.1, specifically within the MediaBrowserController::index() method. This vulnerability allows for arbitrary file deletion via the fileRemove action. The issue arises because user-supplied input is not properly sanitized to prevent directory traversal, enabling the deletion of files outside the intended directory. Additionally, the endpoint lacks Cross-Site Request Forgery (CSRF) protection, further exacerbating the issue.

Impact

Exploitation of this vulnerability could lead to unauthorized deletion of files on the server, including critical application configuration files, which could cause application failure or expose sensitive directories and files by deleting security-related .htaccess or web.config files.

Reproduction

The vulnerability can be reproduced by sending a GET request to the 'admin/api/media-browser' endpoint with a JSON payload that includes the 'fileRemove' action and a 'name' parameter crafted to traverse directories (using '../' sequences) to reach and delete sensitive files, such as the database configuration file or the .htaccess file. This can also be exploited via a CSRF attack by hosting a page that sends the same request when an authenticated admin visits the page.

Remediation

Users are advised to update to phpMyFAQ version 4.1.1 or later, where this vulnerability has been patched. In addition, the MediaBrowserController should be modified to include proper path traversal validation, add CSRF protection, and change the HTTP method to POST or DELETE to align with proper HTTP semantics.