phpMyFAQ Security Advisory

Possible arbitrary PHP code execution vulnerability

Issued on:
2013-11-26
Software:
phpMyFAQ <= 2.8.3
Risk:
Medium
Platforms:
all

The phpMyFAQ Team has learned of a security issue that has been discovered in phpMyFAQ 2.8.x.

Description

Secunia noticed while analysing the advisory that authenticated users with "Right to add attachments" are able to exploit an already publicly known issue in the bundled Ajax File Manager of phpMyFAQ version 2.8.3, which leads to arbitrary PHP code execution for authenticated users with the permission "Right to add attachments".

Solution

The phpMyFAQ Team has released a new phpMyFAQ version 2.8.4 which fixes thie vulnerability. All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.

Workaround

There's no workaround except installing phpMyFAQ 2.8.3.

Credits

Please check this advisory for further information about the publicly known issue in the bundled Ajax File Manager.

Thanks

The phpMyFAQ teams would like to thank Secunia for the responsible disclosure of this vulnerability.