What is phpMyFAQ ?
Free Download
38 translationsphpMyFAQ Security Advisory
phpMyFAQ 2.x XSS vulnerability
- Issued on:
- 2009-06-02
- Software:
- phpMyFAQ <= 2.0.14
- Risk:
- High
- Platforms:
- all
The phpMyFAQ Team has learned of a security issue that has been discovered in phpMyFAQ 2.0.x
Description
phpMyFAQ doesn't sanitize the error message in the admin login page. In case of a "bad login" attempt with a properly crafted URL it is f.e. possible to inject HTML code into the output of the error message, which could result in the leakage of domain cookies (f.e. session identifiers).
Solution
The phpMyFAQ Team has released a new phpMyFAQ version 2.0.15 which fixes the vulnerability. All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
Workaround
There's no workaround except installing phpMyFAQ 2.0.15.
Credits
The phpMyFAQ Team would like to thank Jan Hertsens and Rick G. Elliot (LiveOps Inc) for reporting the vulnerability.