Skip to content

Potential Authenticated Path Traversal in PDF Export (phpMyFAQ 4.x)

Moderate
thorsten published GHSA-88g4-74f3-63x9 Jun 14, 2026

Package

phpMyFAQ

Affected versions

4.1.4

Patched versions

4.1.5

Description

Potential Authenticated Path Traversal in PDF Export

Hello phpMyFAQ Security Team,

I would like to responsibly disclose a potential security issue I identified during a security review of phpMyFAQ.

Summary

I found what appears to be an authenticated path traversal condition in the PDF export functionality, specifically within the PDF image resolution logic.

Based on my review, the issue may allow a privileged FAQ editor to cause the application to attempt reading files outside the intended content directory during PDF generation.


Affected Component

File:
src/phpMyFAQ/Export/Pdf/Wrapper.php

Function:
concatenatePaths()


Root Cause

The path resolution logic relies on locating the substring "content" within a user-controlled path:

$pos = strpos($trimmedFile, 'content');
$relativePath = substr($trimmedFile, (int) $pos);

If "content" is not present, strpos() returns false, which becomes 0 when cast to an integer.

As a result, the entire attacker-controlled path is preserved.

Example:

$trimmedFile = "../../../etc/passwd";
$pos = false;
$relativePath = "../../../etc/passwd";

The resulting path is later processed by:

file_get_contents($resolvedPath);

without canonicalization or a root-directory containment check.


Observed Data Flow

FAQ Content
    ->
PDF Export
    ->
WriteHTML()
    ->
Wrapper::Image()
    ->
concatenatePaths()
    ->
file_get_contents()

Potential Impact

Based on code review, a user with FAQ editing privileges may be able to store HTML containing crafted image paths that are processed during PDF generation.

Potential consequences may include:

  • Path traversal outside the intended content directory
  • Local file read attempts during PDF export
  • Possible disclosure of readable files depending on file type, sanitization behavior, and PDF rendering constraints

Discovery Method

This issue was initially detected by an internally developed SAST tool during analysis of the phpMyFAQ source code.

The finding was then manually investigated and validated through code review.

While the original scanner output classified the issue as a generic path traversal/local file inclusion pattern, manual analysis identified the specific root cause in the path resolution logic of concatenatePaths().


Current Assessment

At this stage I have confirmed:

  • The path traversal condition exists in concatenatePaths()
  • The resolved path reaches file_get_contents()
  • No realpath()-based containment validation is performed

However, I have not yet fully verified all runtime conditions required for practical disclosure, including:

  • HTML sanitization behavior during FAQ save operations
  • PDF rendering behavior for non-image files
  • Whether arbitrary file contents can always be disclosed to the PDF consumer

For this reason I am reporting the issue conservatively as a potential authenticated path traversal / local file read vulnerability rather than claiming confirmed arbitrary file disclosure.


Potential Exploitation Scenario

The following scenario is based on code review and intended to illustrate the potential impact:

  1. A user with FAQ editing privileges creates or modifies a FAQ entry.

  2. The FAQ content contains an HTML image tag with a crafted relative path that does not include the expected content directory reference.

  3. The HTML content is stored and later processed by the PDF export functionality.

  4. When a user requests the PDF version of the FAQ, the application invokes WriteHTML(), which eventually reaches Wrapper::Image().

  5. concatenatePaths() constructs a filesystem path without canonicalization or directory containment validation.

  6. The resulting path reaches file_get_contents(), causing the application to attempt reading a file outside the intended content directory.

  7. Depending on sanitization behavior, file permissions, image validation, and PDF rendering behavior, the contents of the targeted file may potentially be exposed to the PDF consumer.

Based on my current analysis, exploitation would require a user capable of editing FAQ content and is therefore not considered an anonymous or unauthenticated attack vector.


Suggested Remediation

Consider replacing substring-based path anchoring with:

  • realpath() canonicalization
  • Strict root-directory containment checks
  • Explicit allowlisting of permitted image locations

Additional Notes

I have prepared a more detailed technical analysis and can provide it if helpful.

Please let me know if additional information, testing details, or a proof-of-concept would be useful.

Thank you for your time and for maintaining phpMyFAQ.

Kind regards,

[Your Name]
Security Researcher

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

CVE ID

No known CVE

Weaknesses

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Learn more on MITRE.

Credits