3.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-29196

GHSA ID

GHSA-mmh6-5cpf-2c72

EPSS Score

0.63341%

CWE

CWE-22

Published

3/25/2024

Updated

3/26/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-29196

CVE-2024-29196:
phpMyFAQ Path Traversal in Attachments

Summary

There is a Path Traversal vulnerability in Attachments that allows attackers with admin rights to upload malicious files to other locations of the web root.

PoC

In settings, the attachment location is vulnerable to path traversal and can be set to e.g ..\hacked
When the above is set, attachments files are now uploaded to e.g C:\Apps\XAMPP\htdocs\hacked instead of C:\Apps\XAMPP\htdocs\phpmyfaq\attachments
Verify this by uploading an attachment and see that the "hacked" directory is now created in the web root folder with the attachment file inside.

Impact

Attackers can potentially upload malicious files outside the specified directory.

(GitHub Advisory)

3.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-29196

GHSA ID

GHSA-mmh6-5cpf-2c72

EPSS Score

0.63341%

CWE

CWE-22

Published

3/25/2024

Updated

3/26/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
phpmyfaq/phpmyfaq	composer	= 3.2.5	3.2.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper path sanitization in the configuration update handler. The original code (pre-patch) used a simple string replacement to remove '../' sequences, which is insufficient to prevent path traversal attacks. This logic was located in phpmyfaq/admin/configuration.php where user-supplied attachment path values were processed. The commit diff shows the vulnerable pattern replacement was replaced with realpath() validation and document root comparison, confirming this was the vulnerable code path. While no named function is explicitly shown, the procedural code handling configuration updates for 'records.attachmentsPath' directly enabled the traversal vulnerability through inadequate sanitization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry T**r* is * P*t* Tr*v*rs*l vuln*r**ility in *tt***m*nts t**t *llows *tt**k*rs wit* **min ri**ts to uplo** m*li*ious *il*s to ot**r lo**tions o* t** w** root. ### Po* *. In s*ttin*s, t** *tt***m*nt lo**tion is vuln*r**l* to p*t* tr*v*rs*l

Reasoning

T** vuln*r**ility st*ms *rom improp*r p*t* s*nitiz*tion in t** *on*i*ur*tion up**t* **n*l*r. T** ori*in*l *o** (pr*-p*t**) us** * simpl* strin* r*pl***m*nt to r*mov* '../' s*qu*n**s, w*i** is insu**i*i*nt to pr*v*nt p*t* tr*v*rs*l *tt**ks. T*is lo*i*

3.8

Basic Information

Concerned about an active attack path?

CVE-2024-29196: phpMyFAQ Path Traversal in Attachments

Summary

PoC

Impact

3.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-29196:
phpMyFAQ Path Traversal in Attachments

Vulnerability Intelligence
Miggo AI