📄 Description (English)
phpMyFAQ before 4.1.2 contains a path traversal vulnerability in Client::deleteClientFolder that allows admins with INSTANCE_DELETE permission to delete arbitrary directories. Attackers can submit traversal sequences like https://../../../<path> in the client URL parameter to recursively delete directories outside the intended clientFolder scope.
🤖 AI Executive Summary
phpMyFAQ versions before 4.1.2 contain a path traversal vulnerability allowing authenticated administrators with INSTANCE_DELETE permission to delete arbitrary directories on the server. This vulnerability could lead to complete system compromise, data loss, and service disruption. While exploitation requires admin privileges, the lack of input validation on directory paths presents a significant risk for organizations using phpMyFAQ for knowledge management and FAQ systems.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 16, 2026 07:37
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using phpMyFAQ for internal knowledge management, customer support portals, or FAQ systems are at risk. Most vulnerable sectors include: Government agencies (NCA, CITC) using phpMyFAQ for public information systems; Banking sector (SAMA-regulated institutions) if used for customer documentation; Healthcare organizations (MOH) for medical knowledge bases; Telecommunications (STC, Mobily) for customer support systems; and Enterprise IT departments across all sectors. The vulnerability is particularly dangerous in multi-tenant environments where different departments or clients share the same phpMyFAQ instance.
🏢 Affected Saudi Sectors
Government
Banking
Healthcare
Telecommunications
Energy
Education
Enterprise IT
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Audit all phpMyFAQ installations to identify version numbers and current deployment scope
2. Restrict INSTANCE_DELETE permission to only essential administrative accounts
3. Implement principle of least privilege for admin accounts
4. Review access logs for suspicious directory deletion activities
PATCHING GUIDANCE:
1. Upgrade to phpMyFAQ 4.1.2 or later immediately when available
2. If upgrade is not immediately possible, implement compensating controls
COMPENSATING CONTROLS (if patch unavailable):
1. Implement filesystem-level access controls using SELinux or AppArmor to restrict phpMyFAQ process directory access
2. Deploy Web Application Firewall (WAF) rules to block requests containing traversal sequences (../, ..\ patterns) in URL parameters
3. Use chroot jails or containerization to limit filesystem scope accessible to phpMyFAQ
4. Implement strict input validation at application level for all directory parameters
5. Monitor and log all INSTANCE_DELETE operations with alerting on suspicious patterns
DETECTION RULES:
1. Monitor for HTTP requests containing traversal sequences in client URL parameters
2. Alert on recursive directory deletion operations initiated by admin accounts
3. Track filesystem changes in parent directories of phpMyFAQ installation
4. Monitor for unusual file/directory deletion patterns outside expected clientFolder scope
5. Implement SIEM rules to correlate admin login with subsequent mass deletion events
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تدقيق جميع تثبيتات phpMyFAQ لتحديد أرقام الإصدارات ونطاق النشر الحالي
2. تقييد إذن INSTANCE_DELETE للحسابات الإدارية الأساسية فقط
3. تطبيق مبدأ أقل امتياز للحسابات الإدارية
4. مراجعة سجلات الوصول للأنشطة المريبة لحذف المجلدات
إرشادات التصحيح:
1. الترقية إلى phpMyFAQ 4.1.2 أو إصدار أحدث فوراً عند توفره
2. إذا لم يكن الترقية ممكنة على الفور، قم بتطبيق الضوابط البديلة
الضوابط البديلة (إذا لم يكن التصحيح متاحاً):
1. تطبيق ضوابط الوصول على مستوى نظام الملفات باستخدام SELinux أو AppArmor لتقييد وصول عملية phpMyFAQ
2. نشر قواعد جدار حماية تطبيقات الويب (WAF) لحجب الطلبات التي تحتوي على تسلسلات الاجتياز
3. استخدام chroot jails أو الحاويات لتحديد نطاق نظام الملفات
4. تطبيق التحقق الصارم من صحة المدخلات لجميع معاملات المجلدات
5. مراقبة وتسجيل جميع عمليات INSTANCE_DELETE مع التنبيه على الأنماط المريبة
قواعد الكشف:
1. مراقبة طلبات HTTP التي تحتوي على تسلسلات الاجتياز في معاملات عنوان URL
2. التنبيه على عمليات حذف المجلدات العودية التي يبدأها حسابات المسؤول
3. تتبع تغييرات نظام الملفات في المجلدات الأب لتثبيت phpMyFAQ
4. مراقبة أنماط حذف الملفات/المجلدات غير العادية خارج نطاق clientFolder المتوقع
5. تطبيق قواعد SIEM للربط بين تسجيل دخول المسؤول وأحداث الحذف الجماعي اللاحقة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.5.1.1 - Information security policies and procedures
A.6.1.1 - Access control policy
A.6.2.1 - User registration and de-registration
A.8.2.1 - Classification of information
A.8.2.3 - Handling of assets
A.12.4.1 - Event logging
A.12.4.3 - Administrator and operator logs
🔵 SAMA CSF
Governance & Risk Management - Risk Assessment and Management
Information & Cybersecurity - Access Control and Authentication
Information & Cybersecurity - Audit Logging and Monitoring
Operational Resilience - Change Management
Operational Resilience - Incident Management
🟡 ISO 27001:2022
5.3 - Segregation of duties
6.2 - Removal or adjustment of access rights
8.1 - Operational planning and control
8.2 - Supply chain relationships
8.3 - Information and communication
8.4 - Operations
8.32 - Change management
8.33 - Testing, validation and restoration of information systems