What is phpMyFAQ ?
Free Download
38 translationsphpMyFAQ Security Advisory
Execution of arbitrary PHP code in phpMyFAQ version 1.4 and 1.5
- Issued on:
- 2005-06-29
- Software:
- phpMyFAQ version 1.4 and 1.5
- Risk:
- high
- Platforms:
- all
The phpMyFAQ Team has learned of a serious security issue that has been discovered in our bundled library XML-RPC we use in phpMyFAQ 1.4 and 1.5.
Description
The vulnerability is caused due to an unspecified error, which can be exploited to execute arbitrary PHP code via an application using the vulnerable library.
Impact
This issue allows for possible remote code execution.
Solution
The phpMyFAQ Team has released a new phpMyFAQ version 1.4.9 and 1.5.0 RC5, which incorporate a fixed bundled library XML-RPC. All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
Workaround
As a temporary hotfix you can delete your xmlrpcs.php and xmlrpcs.php file in the directory inc/so that your FAQ will not easily allow execution of maliclius XML-RPC method calls.
Credits
Please read this advisory, too.