phpMyFAQ Security Advisory

phpMyFAQ vulnerable to XSS and CSRF

Issued on:
2014-02-04
Software:
phpMyFAQ <= 2.8.5
Risk:
High
Platforms:
all

The phpMyFAQ Team has learned of security issues that have been discovered in phpMyFAQ 2.8.5 and earlier. phpMyFAQ contains cross-site request forgery and cross-site scripting vulnerabilities.

Description

An arbitrary script may be executed on the user's Internet Explorer when using an older version of the browser. If a user views a malicious page while logged in, settings may be changed unintentionally.

Solution

The phpMyFAQ Team has released a new phpMyFAQ version 2.8.6 which fixes thie vulnerability. All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version. Internet Explorer user are save with version 10 or later.

Workaround

There's no workaround except installing phpMyFAQ 2.8.6.

Credits

Thanks

The phpMyFAQ teams would like to thank JPCERT Coordination Center for the responsible disclosure of this vulnerability.