Security Advisory 2005-03-06
SQL injection vulnerability in phpMyFAQ version 1.4 and 1.5
- Issued on:
- 2005-03-06
- Software:
- phpMyFAQ version 1.4 and 1.5
- Risk:
- medium
- Platforms:
- all
The phpMyFAQ Team has learned of a possible SQL injection vulnerability in phpMyFAQ version 1.4
and 1.5.
Description
phpMyFAQ lets public users add FAQ records to the database. The records will be saved into the
database but aren't visible by default.
Impact
Input passed to the username field in forum messages isn't properly sanitised before being
stored.
Solution
The phpMyFAQ Team has released a new phpMyFAQ version 1.4.7 and 1.5.0 RC2, which incorporate a
fix for the SQL injection vulnerability. All users of affected phpMyFAQ versions are encouraged
to upgrade to this latest version.
Workaround
There is no workaround except installing the new version.
Credits
The phpMyFAQ Team would like to thank Sven Michels of sectoor GmbH for discovering this SQL
injection vulnerability.