[原文]Directory traversal vulnerability in phpMyFAQ 1.3.12 allows remote attackers to read arbitrary files, and possibly execute local PHP files, via the action variable, which is used as part of a template filename.
phpMyFAQ index.php action Parameter Local File Inclusion
Remote / Network Access
Loss of Integrity
phpMyFAQ contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to 'index.php' not properly sanitizing user input supplied to the 'action' variable. This may allow a remote attacker to include arbitrary files from the local host and view any accessible file on the system resulting in a loss of confidentiality.
Upgrade to version 1.3.13 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.