Security Advisory 2014-09-16

Multiple security vulnerabilities in phpMyFAQ 2.8

The phpMyFAQ Team has learned of security issues that have been discovered in phpMyFAQ

2.8.12 and earlier:

phpMyFAQ 2.8.12 is containing a SQL Injection vulnerability through the restore

function. This functionality is only executable by admin users with special permissions.
The application containing cross site scripting and content spoofing vulnerabilities

through Flash files bundled with TinyMCE and Ajax FileManager plugins.
The bundled TinyMCE Editor (v3.5.11) containing a DOM based stored cross site scripting

vulnerability.
The "delete user" functionality of phpMyFAQ 2.8.12 is containing a CSRF vulnerability.
An attacker can delete any open question through another CSRF vulnerability because of

the lack of a CSRF token.
The check on "download an attachment" permissions is not working correct, so that anyone

can download attachments.
An admin having privilege to delete any FAQ multi-site primary instance.
The application containing an improper Captcha implementation, as a result an attacker

can replay the request to bypass the Captcha protections on forms.
Administrator is able to view information about specific user session with unfiltered

IPs and user agents.

The phpMyFAQ Team has released phpMyFAQ version 2.8.13 which fixes the vulnerabilities. All

users of affected phpMyFAQ versions are encouraged to upgrade as soon as possible to this

latest version.

There's no workaround except installing phpMyFAQ 2.8.13.

The phpMyFAQ teams would like to thank Nikhil Srivastava, CTO at

and Jinen Patel for the responsible disclosure of these vulnerabilities.