Security Advisory 2014-09-16

Multiple security vulnerabilities in phpMyFAQ 2.8

Issued on:
2014-09-16
Software:
phpMyFAQ <= 2.8.12
Risk:
High
Platforms:
all

The phpMyFAQ Team has learned of security issues that have been discovered in phpMyFAQ 2.8.12 and earlier:

  • SQL Injection
  • Various Cross Site Scripting issues
  • Content Spoofing
  • Cross Site Request Forgery
  • Privilege Escalations
  • Insecure Direct Object Reference
  • Captcha Implementation Bypass
  • Persistent XSS

Description

  • phpMyFAQ 2.8.12 is containing a SQL Injection vulnerability through the restore function. This functionality is only executable by admin users with special permissions.
  • The application containing cross site scripting and content spoofing vulnerabilities through Flash files bundled with TinyMCE and Ajax FileManager plugins.
  • The bundled TinyMCE Editor (v3.5.11) containing a DOM based stored cross site scripting vulnerability.
  • The "delete user" functionality of phpMyFAQ 2.8.12 is containing a CSRF vulnerability.
  • An attacker can delete any open question through another CSRF vulnerability because of the lack of a CSRF token.
  • The check on "download an attachment" permissions is not working correct, so that anyone can download attachments.
  • An admin having privilege to delete any FAQ multi-site primary instance.
  • The application containing an improper Captcha implementation, as a result an attacker can replay the request to bypass the Captcha protections on forms.
  • Administrator is able to view information about specific user session with unfiltered IPs and user agents.

Solution

The phpMyFAQ Team has released phpMyFAQ version 2.8.13 which fixes the vulnerabilities. All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this latest version.

Workaround

There's no workaround except installing phpMyFAQ 2.8.13.

References

  • SQL Injection: CVE-2014-6045
  • CSRF issues: CVE-2014-6046
  • incorrect enforcement of privilege restrictions: CVE-2014-6047
  • Direct request to the URL of an attachment: CVE-2014-6048
  • Authorization bypass with a modified instance ID parameter: CVE-2014-6049
  • Captcha implementation bypass: CVE-2014-6050

Thanks

The phpMyFAQ teams would like to thank Nikhil Srivastava, CTO at Techdefence Labs and Jinen Patel for the responsible disclosure of these vulnerabilities.

Back to the security advisories overview

Other interesting links

Getting started

Resources

Misc

Get Connected