PhpMyFaq 1.5.1 stores data files under the web document root with insufficient access control and predictable filenames, which allows remote attackers to obtain sensitive information via a direct request to the data/tracking[DATE] file.

If magic quotes are off there's a SQL injection when sending a forgotten password. It's possible to overwrite the admin password and to take over the whole system. In some files in the admin section there are some cross site scripting vulnerabilities. In the public frontend it's possible to include arbitrary php files.

The remote host is running a version of phpMyFAQ that suffers from arbitrary code execution (if the server is Windows-based), SQL injection and cross-site scripting attacks, as well as information disclosure.

The remote host is running phpMyFAQ, a web-based Frequently-Asked-Questions (FAQ) application.  This version of phpMyFAQ is vulnerable to a remote SQL injection attack.  An attacker exploiting this flaw would send a specially crafted HTTP request to the application.  Upon parsing the request, the server would be coerced into running commands embedded within the request.  A successful attack would give the attacker the ability to view data, modify data, and potentially execute systems commands with the permission of the web server.

ID	Name	Product	Family	Severity
21510	FreeBSD : phpmyfaq -- SQL injection, takeover, path disclosure, remote code execution (c6b9aee8-3071-11da-af18-000ae4641456)	Nessus	FreeBSD Local Security Checks	medium
19778	phpMyFAQ < 1.5.2 Multiple Vulnerabilities	Nessus	CGI abuses	medium
2675	phpMyFAQ < 1.6.0 SQL Injection (deprecated)	Nessus Network Monitor	CGI	high

Detections

Analytics

CVE-2005-3049

high

Tenable Plugins

medium

medium

high