phpMyFAQ Security Advisory

Remote PHP Code Injection Vulnerability in phpMyFAQ 2.6.18 and 2.7.0

Issued on:
2011-11-25
Software:
phpMyFAQ <= 2.6.18 and phpMyFAQ <= 2.7.0
Risk:
Critical
Platforms:
all

The phpMyFAQ Team has learned of a serious security issue that has been discovered in our bundled ImageManager library we use in phpMyFAQ 2.6 and 2.7.

Description

The bundled ImageManager library allows injection of arbitrary PHP code via POST requests.

Solution

The phpMyFAQ Team has released a new phpMyFAQ version 2.6.19 and 2.7.1, which incorporates a fixed bundled ImageManager library. All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.

Workaround

There's no workaround except installing phpMyFAQ 2.6.19 and phpMyFAQ 2.7.1.

Credits

The phpMyFAQ Team would like to thank EgiX for discovering this vulnerability.