phpMyFAQ Path Traversal Vulnerability in Client Directory Deletion

A path traversal vulnerability has been identified in phpMyFAQ versions prior to 4.1.2, specifically within the Client::deleteClientFolder function. This vulnerability allows admins with INSTANCE_DELETE permission to delete arbitrary directories. By submitting traversal sequences in the client URL parameter, attackers can recursively delete directories outside the intended clientFolder scope.

Impact

Exploitation of this vulnerability allows for arbitrary directory deletion, potentially leading to the loss of important data or files under the web user's reach.

Reproduction

To reproduce this vulnerability, an admin with INSTANCE_DELETE permission can send a POST request to the 'admin/api/instance' endpoint with a URL parameter that includes a traversal payload, such as '../../../<path>'. This request will be processed by the deleteClientFolder function, which fails to validate the URL properly, allowing the server to delete the specified directories recursively.

Remediation

Users are advised to update phpMyFAQ to version 4.1.2 or later, where this vulnerability has been patched.