Execution of arbitrary PHP code in phpMyFAQ version 1.4 and 1.5
- Issued on:
- phpMyFAQ version 1.4 and 1.5
The phpMyFAQ Team has learned of a serious security issue that has been discovered in our bundled library XML-RPC we use in phpMyFAQ 1.4 and 1.5.
The vulnerability is caused due to an unspecified error, which can be exploited to execute arbitrary PHP code via an application using the vulnerable library.
This issue allows for possible remote code execution.
The phpMyFAQ Team has released a new phpMyFAQ version 1.4.9 and 1.5.0 RC5, which incorporate a fixed bundled library XML-RPC. All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
As a temporary hotfix you can delete your xmlrpcs.php and xmlrpcs.php file in the directory inc/so that your FAQ will not easily allow execution of maliclius XML-RPC method calls.
Please read this advisory, too.