exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PHP File Manager Backdoor / XSS / CSRF / Shell Upload

PHP File Manager Backdoor / XSS / CSRF / Shell Upload
Posted Jul 27, 2015
Authored by Sijmen Ruwhof

PHP File Manager suffers from cross site request forgery, cross site scripting, backdoor, file check, remote shell upload, and various other vulnerabilities.

tags | advisory, remote, shell, php, vulnerability, xss, csrf
SHA-256 | fdce4b71d80c857ab7c7314a383b0e1455af501dd6b040a30a6b5b7e8582ae3b

PHP File Manager Backdoor / XSS / CSRF / Shell Upload

Change Mirror Download
Multiple critical security vulnerabilities (including a backdoor!) in PHP
File Manager

I've found several critical security vulnerabilities in PHP File Manager. On
top of that, it even includes a poorly secured backdoor, leaving this web
based file manager completely open. I've contacted the vendor three times
but got no response of them, so I'm going full disclosure.

Identified critical security vulnerabilities:

1. Poorly secured backdoor user that compromises all security
measurements. This user is located in file '/db/valid.users' and has user
name '****__DO_NOT_REMOVE_THIS_ENTRY__****'.

2. User database in file '/db/valid.users' is completely unprotected and
can be freely downloaded via any web browser. Password hashes stored in the
user database are unsalted and are generated via the deprecated MD5 hash
algorithm. Most of these hashes can be instantly reverted back to their
original password via online MD5 reversing services.

3. Arbitrary and unauthenticated file uploads are possible because an
old version (2.1.0) of the library Uploadify is used. PHP code can be
uploaded and executed, compromising security completely.

4. There is no configuration option available to restrict the file
extensions that are allowed to be uploaded by authenticated users: you can
upload and also execute PHP files.

Identified high security vulnerabilities:

1. Multiple cross-site scripting vulnerabilities, making identify theft
attack scenario's possible.

2. No authentication or authorization checks are performed on files that
are uploaded by users. If you know the internet address of a file, you can
download it without being logged in.

3. Cross site request forgery is possible.

Identified medium security vulnerabilities:

1. No password strength policy is implemented. A user can generate a
password of one character.

2. A user if not forced to change the default passwords of all default
installed users, such as the password for the administrator account.

3. PHP session files are stored in the web root.

4. Referrer leakages to vendor: they have the ability to know where you
installed PHP File Manager.

5. File uploads are directly stored in the web root, not in a separate
upload folder on the server out of the web root.

6. Ability to check if arbitrary files exists on the system without
having to log in.

7. Default users (admin, User1 and User2) are installed which all got
the same password set.

8. No protection against brute force attacks on the login screen.

9. Session cookie without HttpOnly and Secure protection.

10. No HTTP Strict Transport Security support is implementation.

11. No Content Security Policy implemented.

12. Privilege escalation possible for authenticated users if PHP
configuration optionregister_globals is set to true.

13. Outdated jQuery library that is probably vulnerable for cross-site
scripting attacks. The file /uploader/jquery-1.3.2.min.js is from February
20, 2009.

Identified low security vulnerabilities:

1. Local path disclosure via installation support scripts (in
/show_windows_path.phpand /show_linux_path.php).

More information available in my web log post at

Login or Register to add favorites

File Archive:

October 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    0 Files
  • 2
    Oct 2nd
    22 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By