Security Advisory 2013-11-18

Possible arbitrary PHP code execution vulnerability

Issued on:

2013-11-26

Software:

phpMyFAQ <= 2.8.3

Risk:

Medium

Platforms:

all

The phpMyFAQ Team has learned of a security issue that has been discovered in phpMyFAQ

2.8.x.

Description

Secunia noticed while analysing the advisory that authenticated users with "Right to add

attachments" are able to exploit an already publicly known issue in the bundled Ajax File

Manager of phpMyFAQ version 2.8.3, which leads to arbitrary PHP code execution for

authenticated users with the permission "Right to add attachments".

Solution

The phpMyFAQ Team has released a new phpMyFAQ version 2.8.4 which fixes thie vulnerability.

All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to

this latest version.

Workaround

There's no workaround except installing phpMyFAQ 2.8.3.

Credits

Please check this advisory for further

information about the publicly known issue in the bundled Ajax File Manager.

Thanks

The phpMyFAQ teams would like to thank Secunia for the

responsible disclosure of this vulnerability.