Security Advisory 2011-10-25
Remote PHP Code Injection Vulnerability in phpMyFAQ 2.6.18 and 2.7.0
- Issued on:
- 2011-11-25
- Software:
- phpMyFAQ <= 2.6.18 and phpMyFAQ <= 2.7.0
- Risk:
- Critical
- Platforms:
- all
The phpMyFAQ Team has learned of a serious security issue that has been discovered in our
bundled ImageManager library we use in phpMyFAQ 2.6 and 2.7.
Description
The bundled ImageManager library allows injection of arbitrary PHP code via POST requests.
Solution
The phpMyFAQ Team has released a new phpMyFAQ version 2.6.19 and 2.7.1, which incorporates a
fixed bundled ImageManager library. All users of affected phpMyFAQ versions are encouraged to
upgrade as soon as possible to this latest version.
Workaround
There's no workaround except installing phpMyFAQ 2.6.19 and phpMyFAQ 2.7.1.
Credits
The phpMyFAQ Team would like to thank EgiX for discovering this vulnerability.