Security Advisory 2004-05-18

Vulnerabilities in phpMyFAQ versions 1.2.x, 1.3.x and 1.4.0

The phpMyFAQ Team has learned of security vulnerabilities in phpMyFAQ versions 1.2.x, 1.3.x, and 1.4.0 alpha1.

phpMyFAQ includes template files and due to insufficient checking of the variables, there is a possibility for inclusion

of arbitrary local files when using phpMyFAQ with PHP as Apache module and an incorrectly set open_basedir directive.

Both local and remote users may exploit these vulnerabilities to compromise the web server and, under certain

conditions, to gain privileged access. An intruder may be able to execute arbitrary code with the privileges of the web

server. These vulnerabilities may be exploited to compromise the web server and, under certain conditions, to gain

privileged access.

The phpMyFAQ Team has released new phpMyFAQ versions, 1.3.13 and 1.4.0 alpha2, which incorporate a fix for the

vulnerabilities. All users of affected phpMyFAQ versions are encouraged to upgrade to this latest version. A patch for

the unsupported phpMyFAQ 1.2.x versions is available too.

These vulnerabilities shouldn't work when the open_basedir directive in the php.ini file is set correctly. The

magic_quotes_gpc directive should be enabled by default on most systems since it's the default for PHP and most

well-known distributions.

The phpMyFAQ Team would like to thank Stefan Esser of e-matters GmbH for discovering this vulnerability. e-matters GmbH

has also released an independent advisory, describing the vulnerability in more detail.

Another thanks to Sven Michels (sectoor GmbH) for working out that magic_quotes_gpc turned on will prevent at least the

vulnerability in the stable version.