phpMyFAQ Security Advisory

SQL injection, takeover, path disclosure, remote code execution in phpMyFAQ 1.5.x

Issued on:
2005-09-23
Software:
phpMyFAQ <= 1.5.2
Risk:
critical
Platforms:
all

The phpMyFAQ Team has learned of a serious security issue that has been discovered in phpMyFAQ 1.5.

Description

If magic quotes are off there's a SQL injection when sending a forgotten password. It's possible to overwrite the admin password and to take over the whole system. In some files in the admin section there are some cross site scripting vulnerabilities. In the public frontend it's possible to include arbitrary php files.

Solution

The phpMyFAQ Team has released a new phpMyFAQ version 1.5.2 which fixes these vulnerabilities. All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.

Workaround

There's no workaround except installing phpMyFAQ 1.5.2.

Credits

Thanks to Christian Ney for the hint about the public exploit.

We would like to put emphasis on the disappointment we feel when a bugreporter does not contact the authors of a software first, before posting any exploits. The common way to report this, is to give the developers a reasonable amount of time to respond to an exploit before it is made public.