📄 Description (English)
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.1, the MediaBrowserController::index() method handles file deletion for the media browser. When the fileRemove action is triggered, the user-supplied name parameter is concatenated with the base upload directory path without any path traversal validation. The FILTER_SANITIZE_SPECIAL_CHARS filter only encodes HTML special characters (&, ', ", <, >) and characters with ASCII value < 32, and does not prevent directory traversal sequences like ../. Additionally, the endpoint does not validate CSRF tokens, making it exploitable via CSRF attacks. This issue has been patched in version 4.1.1.
🤖 AI Executive Summary
phpMyFAQ versions prior to 4.1.1 contain a critical path traversal vulnerability in the MediaBrowserController that allows unauthenticated attackers to delete arbitrary files on the server through directory traversal sequences (../) combined with missing CSRF protection. The vulnerability affects the fileRemove action where user-supplied filenames are insufficiently sanitized, enabling attackers to traverse directories and delete critical system or application files. This poses an immediate threat to organizations using phpMyFAQ for knowledge management and FAQ systems.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 20:20
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using phpMyFAQ for internal knowledge management, FAQ systems, or customer support portals are at significant risk. Most vulnerable sectors include: Government agencies (NCA, CITC) using phpMyFAQ for public information systems; Banking and financial institutions (SAMA-regulated) using FAQ systems for customer education; Healthcare organizations (MOH) maintaining medical FAQ databases; Telecommunications companies (STC, Mobily) operating customer support FAQ systems; and Educational institutions. The vulnerability allows complete file system compromise, potentially exposing sensitive data, configuration files containing credentials, and enabling lateral movement within networks. Organizations in critical infrastructure sectors face heightened risk due to potential cascading failures.
🏢 Affected Saudi Sectors
Government
Banking and Financial Services
Healthcare
Telecommunications
Education
Energy
Retail
Hospitality
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all phpMyFAQ installations in your environment using network scanning tools or asset management systems
2. Disable or restrict access to the media browser functionality immediately via web application firewall (WAF) rules blocking /index.php?action=media requests
3. Implement IP whitelisting for administrative access to phpMyFAQ installations
4. Review web server logs for suspicious fileRemove requests containing ../ sequences
PATCHING GUIDANCE:
1. Upgrade phpMyFAQ to version 4.1.1 or later immediately
2. If immediate patching is not possible, apply the following compensating controls:
- Implement strict input validation: reject any filename parameter containing ../, .., or absolute paths
- Add CSRF token validation to all state-changing operations
- Use PHP's basename() function to strip directory components from filenames
- Implement file operation whitelisting (only allow deletion of files in designated upload directory)
DETECTION RULES:
1. Monitor web server access logs for patterns: fileRemove.*\.\./|fileRemove.*%2e%2e%2f
2. Alert on any DELETE operations outside designated upload directories
3. Monitor file system for unexpected deletions in system directories
4. Log all media browser access attempts and correlate with file deletion events
5. WAF rule: Block requests to /index.php containing action=media AND name parameter with ../ or URL-encoded equivalents
VERIFICATION:
1. After patching, test that path traversal attempts are blocked
2. Verify CSRF tokens are required for fileRemove actions
3. Confirm file deletion only works within intended upload directory
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع تثبيتات phpMyFAQ في بيئتك باستخدام أدوات المسح الشبكي أو أنظمة إدارة الأصول
2. عطّل أو قيّد الوصول إلى وظيفة متصفح الوسائط فوراً عبر قواعد جدار حماية تطبيقات الويب (WAF) التي تحجب طلبات /index.php?action=media
3. طبّق قائمة بيضاء للعناوين IP للوصول الإداري إلى تثبيتات phpMyFAQ
4. راجع سجلات خادم الويب للطلبات المريبة من fileRemove التي تحتوي على تسلسلات ../
إرشادات التصحيح:
1. قم بترقية phpMyFAQ إلى الإصدار 4.1.1 أو أحدث فوراً
2. إذا لم يكن التصحيح الفوري ممكناً، طبّق عناصر التحكم التعويضية التالية:
- طبّق التحقق الصارم من المدخلات: رفض أي معامل اسم ملف يحتوي على ../ أو .. أو مسارات مطلقة
- أضف التحقق من رموز CSRF إلى جميع العمليات التي تغير الحالة
- استخدم دالة PHP basename() لإزالة مكونات الدليل من أسماء الملفات
- طبّق قائمة بيضاء لعمليات الملفات (السماح فقط بحذف الملفات في دليل التحميل المخصص)
قواعد الكشف:
1. راقب سجلات الوصول لخادم الويب للأنماط: fileRemove.*\.\./|fileRemove.*%2e%2e%2f
2. أصدر تنبيهات لأي عمليات DELETE خارج الدلائل المخصصة للتحميل
3. راقب نظام الملفات للحذف غير المتوقع في دلائل النظام
4. سجّل جميع محاولات الوصول إلى متصفح الوسائط وربطها بأحداث حذف الملفات
5. قاعدة WAF: احجب الطلبات إلى /index.php التي تحتوي على action=media ومعامل name يحتوي على ../ أو ما يعادله المشفر بـ URL
التحقق:
1. بعد التصحيح، اختبر أن محاولات اجتياز المسار يتم حجبها
2. تحقق من أن رموز CSRF مطلوبة لإجراءات fileRemove
3. أكّد أن حذف الملفات يعمل فقط ضمن دليل التحميل المقصود
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information Security Policies and Procedures
A.6.1.1 - Access Control Policy
A.12.2.1 - Change Management
A.12.6.1 - Management of Technical Vulnerabilities
A.14.2.1 - Secure Development Policy
🔵 SAMA CSF
ID.GV-1 - Organizational cybersecurity policy is established and communicated
PR.AC-1 - Identities and credentials are issued and managed securely
PR.DS-6 - Integrity checking mechanisms are used to verify software, firmware, and information
DE.CM-8 - Vulnerability scans are performed
RS.RP-1 - Response is executed and coordinated with external parties
🟡 ISO 27001:2022
A.5.1.1 - Policies for information security
A.6.1.1 - Information security roles and responsibilities
A.12.2.1 - Change management
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Secure development policy and procedures
🟣 PCI DSS v4.0.1
6.2 - Ensure all system components and software are protected from known vulnerabilities
6.5.1 - Injection flaws prevention
11.2 - Quarterly vulnerability scanning
🔗 References & Sources 3
🔗
https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1
security-advisories@github.com
Product
🔗
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-38m8-xrfj-v38x
security-advisories@github.com
Exploit
Mitigation
Vendor Advisory
🔗
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-38m8-xrfj-v38x
134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit
Mitigation
Vendor Advisory
📦 Affected Products / CPE 1 entries
phpmyfaq:phpmyfaq