Security Advisory 2012-04-14
Remote PHP Code Execution Vulnerability in phpMyFAQ 2.7.4 and earlier
- Issued on:
- 2012-04-14
- Software:
- phpMyFAQ <= 2.7.4
- Risk:
- Critical
- Platforms:
- all
The phpMyFAQ Team has learned of a serious security issue that has been discovered in our
bundled ImageManager library we use in phpMyFAQ 2.7.
Description
The bundled ImageManager library allows injection of arbitrary PHP code to execute arbitrary PHP
code and upload malware and trojan horses.
Solution
The phpMyFAQ Team has released a new phpMyFAQ version 2.7.5, which incorporates a fixed bundled
ImageManager library. All users of affected phpMyFAQ versions are encouraged to upgrade as soon
as possible to this latest version.
Workaround
There's no workaround except installing phpMyFAQ 2.7.5.
Credits
The phpMyFAQ Team would like to thank EgiX for discovering this vulnerability.