paFaq contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when an attacker directly requests the backup.php script which does not require authentication. Using this script, they can download the entire paFaq database containing usernames and password hashes for all users. Once an attacker has the password hash for the administrative user, they can use it to authenticate against the system without decrypting it by setting their cookie to: Cookie: pafaq_user=USERNAMEHERE; pafaq_pass=PASSWORDHASH
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.