----------------------------------------------------------------------

Bist Du interessiert an einem neuen Job in IT-Sicherheit?


Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
https://secunia.com/secunia_vacancies/

----------------------------------------------------------------------

TITLE:
phpMyFAQ Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA16933

VERIFY ADVISORY:
https://secunia.com/advisories/16933/

CRITICAL:
Highly critical

IMPACT:
Cross Site Scripting, Manipulation of data, Exposure of system
information, Exposure of sensitive information, System access

WHERE:
>From remote

SOFTWARE:
phpMyFAQ 1.x
https://secunia.com/product/3487/

DESCRIPTION:
rgod has discovered some vulnerabilities in phpMyFAQ, which can be
exploited by malicious people to conduct cross-site scripting and SQL
injection attacks, disclose system and sensitive information, and
compromise a vulnerable system.

1) Input passed to the "username" parameter in "password.php" when
using the forgotten password functionality isn't properly sanitised
before being used in a SQL query. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.

Successful exploitation requires that "magic_quotes_gpc" is
disabled.

2) Input passed to the "PMF_CONF[version]" parameter in "footer.php"
and the "PMF_LANG[metaLanguage]" parameter in "header.php" isn't
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.

3) Input passed to the "LANGCODE" parameter in "index.php" isn't
properly verified, before it is used to include files. This can be
exploited to include arbitrary files from local resources.

This can further be exploited to execute arbitrary PHP code by
including log files containing injected PHP code sent via the
"User-Agent" HTTP header.

Successful exploitation requires that "magic_quotes_gpc" is
disabled.

4) The problem is that log files are insecurely placed inside the web
root. This can be exploited to disclose some user information (e.g.
requested URLs).

The vulnerabilities have been confirmed in version 1.5.1. Prior
versions may also be affected.

SOLUTION:
Update to version 1.5.2.
https://www.phpmyfaq.de/download.php

PROVIDED AND/OR DISCOVERED BY:
rgod

ORIGINAL ADVISORY:
phpMyFAQ:
https://www.phpmyfaq.de/advisory_2005-09-23.php

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
https://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
https://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------