Remote PHP Code Injection Vulnerability in phpMyFAQ 1.4.x and 1.5.x
- Issued on:
- phpMyFAQ <= 1.4.10 and phpMyFAQ <= 1.5.0 RC6
The phpMyFAQ Team has learned of a serious security issue that has been discovered in our bundled library XML-RPC we use in phpMyFAQ 1.4 and 1.5.
The bundled XML-RPC library allow injection of arbitrary PHP code into eval() statements. This is caused by an improper handling of XMLRPC requests and responses that are malformed in a certain way.
The phpMyFAQ Team has released a new phpMyFAQ version 1.4.11 and 1.5.0 RC7, which incorporate a fixed bundled library XML-RPC. All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.
As a temporary hotfix you can delete your xmlrpc.php and xmlrpcs.php file in the directory inc/ so that your FAQ will not easily allow execution of maliclius XML-RPC method calls.