PhpMyFAQ Action Parameter Arbitrary File Disclosure Vulnerability Network Vulnerability

Summary

The remote web server contains a PHP script that permits information disclosure of local files. Description : The version of phpMyFAQ on the remote host contains a flaw that may lead to an unauthorized information disclosure. The problem is that user input passed to the 'action' parameter is not properly verified before being used to include files, which could allow an remote attacker to view any accessible file on the system, resulting in a loss of confidentiality.

Solution

Upgrade to phpMyFAQ 1.3.13 or newer.

References

http://www.phpmyfaq.de/advisory_2004-05-18.php

Updated on 2017-03-28

Severity

Classification

CVE CVE-2004-2255

CVSS	Base Score: 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N

Related Vulnerabilities

Apache Web Server ETag Header Information Disclosure Weakness
Apache Struts2 'XWork' Information Disclosure Vulnerability
AjaXplorer Remote Command Injection and Local File Disclosure Vulnerabilities
Apache Tomcat 'sendfile' Request Attributes Information Disclosure Vulnerability
Allegro RomPager HTTP Referer Header Cross Site Scripting Vulnerability

phpMyFAQ action parameter arbitrary file disclosure vulnerability

Take action and discover your vulnerabilities