CVE-2005-3048

Name of the Vulnerable Software and Affected Versions PhpMyFaq version 1.5.1

Description The issue allows remote attackers to read arbitrary files or include arbitrary PHP files via a .. (dot dot) in the LANGCODE parameter. This also enables direct code injection via the User Agent field in a request packet, which can be activated by using LANGCODE to reference the user tracking data file.

Recommendations For PhpMyFaq version 1.5.1, consider restricting access to the LANGCODE parameter to minimize the risk of exploitation. As a temporary workaround, avoid using the LANGCODE parameter in the index.php file until a patch is available. Additionally, restrict the ability to inject code via the User Agent field in request packets.