What is phpMyFAQ ?
Free Download
38 translationsphpMyFAQ Security Advisory
Remote code execution vulnerability in phpMyFAQ 1.6.x
- Issued on:
- 2007-02-18
- Software:
- phpMyFAQ <= 1.6.9
- Risk:
- High
- Platforms:
- all
The phpMyFAQ Team has learned about a vulnerability in the code that could be exploited in phpMyFAQ 1.6.x.
Description
Through the vulnerability it is possible to gain the privilege for uploading files on the server when register_globals is activated: currently no public exploit is available but some users already reported us to be hacked and the r57shell script has been installed on their systems.
Solution
The phpMyFAQ Team has released the new phpMyFAQ version 1.6.10 which fixes the vulnerability. All users of the affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
Workaround
If it's possible for you set register_globals to off in your php.ini configuration settings.
Credits
The phpMyFAQ Team would like to thank François Maillet and Enrico Fischer (Powerserver-Germany webHosting & DomainServices) for reporting the vulnerability, and Johannes Schlüter for discovering and fixing the issue.