The phpMyFAQ Team has learned of a possible SQL injection vulnerability in phpMyFAQ version 1.4 and 1.5.
phpMyFAQ lets public users add FAQ records to the database. The records will be saved into the database but aren't visible by default.
Input passed to the username field in forum messages isn't properly sanitised before being stored.
The phpMyFAQ Team has released a new phpMyFAQ version 1.4.7 and 1.5.0 RC2, which incorporate a fix for the SQL injection vulnerability. All users of affected phpMyFAQ versions are encouraged to upgrade to this latest version.
There is no workaround except installing the new version.
The phpMyFAQ Team would like to thank Sven Michels of sectoor GmbH for discovering this SQL injection vulnerability.