phpMyFAQ Security Advisory

Remote PHP Code Execution Vulnerability in phpMyFAQ 2.7.4 and earlier

Issued on:
2012-04-14
Software:
phpMyFAQ <= 2.7.4
Risk:
Critical
Platforms:
all

The phpMyFAQ Team has learned of a serious security issue that has been discovered in our bundled ImageManager library we use in phpMyFAQ 2.7.

Description

The bundled ImageManager library allows injection of arbitrary PHP code to execute arbitrary php code and upload malware and trojan horses.

Solution

The phpMyFAQ Team has released a new phpMyFAQ version 2.7.5, which incorporates a fixed bundled ImageManager library. All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.

Workaround

There's no workaround except installing phpMyFAQ 2.7.5.

Credits

The phpMyFAQ Team would like to thank EgiX for discovering this vulnerability.