What is phpMyFAQ ?
Free Download
38 translationsphpMyFAQ Security Advisory
SQL injection and remote code execution vulnerabilities in phpMyFAQ 1.6.x
- Issued on:
- 2006-12-15
- Software:
- phpMyFAQ <= 1.6.7
- Risk:
- High
- Platforms:
- all
The phpMyFAQ Team has learned about some vulnerabilities in the code that could be exploited in phpMyFAQ 1.6.x.
Description
Through one of the vulnerabilities it is possible to gain the privilege for uploading files on the server: currently no public exploit is available but two users already reported us to be hacked and the r57shell script has been installed on their systems.
Solution
The phpMyFAQ Team has released the new phpMyFAQ version 1.6.8 which fixes these vulnerabilities. All users of the affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
Workaround
At the time of this advisory there's no workaround except installing phpMyFAQ 1.6.8.
Credits
The phpMyFAQ Team would like to thank Markus Kohlmeyer, for reporting us how his system has been hacked, and Stefan Esser, for discovering all the other vulnerabilities.