Security Advisory 2005-09-23
SQL injection, takeover, path disclosure, remote code execution in phpMyFAQ 1.5.x
- Issued on:
- 2005-09-23
- Software:
- phpMyFAQ <= 1.5.2
- Risk:
- critical
- Platforms:
- all
The phpMyFAQ Team has learned of a serious security issue that has been discovered in phpMyFAQ 1.5.
Description
If magic quotes are off there's a SQL injection when sending a forgotten password. It's possible
to overwrite the admin password and to take over the whole system. In some files in the admin
section there are some cross site scripting vulnerabilities. In the public frontend it's
possible to include arbitrary PHP files.
Solution
The phpMyFAQ Team has released a new phpMyFAQ version 1.5.2 which fixes these vulnerabilities.
All users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this
latest version.
Workaround
There's no workaround except installing phpMyFAQ 1.5.2.
Credits
Thanks to Christian Ney for the hint about the public exploit.
We would like to put emphasis on the disappointment we feel when a bugreporter does not contact
the authors of a software first, before posting any exploits. The common way to report this, is
to give the developers a reasonable amount of time to respond to an exploit before it is made
public.