The phpMyFAQ Team has learned of security vulnerabilities in phpMyFAQ versions 1.2.x, 1.3.x and 1.4.0 alpha1.
phpMyFAQ includes template files and due to insufficient checking of the variables there is a possibility for inclusion of arbitrary local files when using phpMyFAQ with PHP as Apache module and an incorrectly set open_basedir directive.
Both local and remote users may exploit these vulnerabilities to compromise the web server and, under certain conditions, to gain privileged access. An intruder may be able to execute arbitrary code with the privileges of the web server. This vulnerabilities may be exploited to compromise the web server and, under certain conditions, to gain privileged access.
The phpMyFAQ Team has released new phpMyFAQ versions, 1.3.13 and 1.4.0 alpha2, which incorporate a fix for the vulnerabilities. All users of affected phpMyFAQ versions are encouraged to upgrade to this latest version. A patch for the unsupported phpMyFAQ 1.2.x versions is available, too.
These vulnerabilities shouldn't work when the open_basedir directive in the php.ini file is set correctly. The magic_quotes_gpc directive should be enabled by default on most systems since its the default for PHP and most well known distributions.
The phpMyFAQ Team would like to thank Stefan Esser of e-matters GmbH for discovering this vulnerability. e-matters GmbH has also released an independent advisory, describing the vulnerability in more detail.
Another Thanks to Sven Michels (sectoor GmbH) for working out that magic_quotes_gpc turned on will prevent at least the vulnerability in the stable version.