exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

PHP File Manager Backdoor / XSS / CSRF / Shell Upload

PHP File Manager Backdoor / XSS / CSRF / Shell Upload
Posted Jul 27, 2015
Authored by Sijmen Ruwhof

PHP File Manager suffers from cross site request forgery, cross site scripting, backdoor, file check, remote shell upload, and various other vulnerabilities.

tags | advisory, remote, shell, php, vulnerability, xss, csrf
SHA-256 | fdce4b71d80c857ab7c7314a383b0e1455af501dd6b040a30a6b5b7e8582ae3b

PHP File Manager Backdoor / XSS / CSRF / Shell Upload

Change Mirror Download
Multiple critical security vulnerabilities (including a backdoor!) in PHP
File Manager



I've found several critical security vulnerabilities in PHP File Manager. On
top of that, it even includes a poorly secured backdoor, leaving this web
based file manager completely open. I've contacted the vendor three times
but got no response of them, so I'm going full disclosure.



Identified critical security vulnerabilities:

1. Poorly secured backdoor user that compromises all security
measurements. This user is located in file '/db/valid.users' and has user
name '****__DO_NOT_REMOVE_THIS_ENTRY__****'.

2. User database in file '/db/valid.users' is completely unprotected and
can be freely downloaded via any web browser. Password hashes stored in the
user database are unsalted and are generated via the deprecated MD5 hash
algorithm. Most of these hashes can be instantly reverted back to their
original password via online MD5 reversing services.

3. Arbitrary and unauthenticated file uploads are possible because an
old version (2.1.0) of the library Uploadify is used. PHP code can be
uploaded and executed, compromising security completely.

4. There is no configuration option available to restrict the file
extensions that are allowed to be uploaded by authenticated users: you can
upload and also execute PHP files.


Identified high security vulnerabilities:

1. Multiple cross-site scripting vulnerabilities, making identify theft
attack scenario's possible.

2. No authentication or authorization checks are performed on files that
are uploaded by users. If you know the internet address of a file, you can
download it without being logged in.

3. Cross site request forgery is possible.


Identified medium security vulnerabilities:

1. No password strength policy is implemented. A user can generate a
password of one character.

2. A user if not forced to change the default passwords of all default
installed users, such as the password for the administrator account.

3. PHP session files are stored in the web root.

4. Referrer leakages to vendor: they have the ability to know where you
installed PHP File Manager.

5. File uploads are directly stored in the web root, not in a separate
upload folder on the server out of the web root.

6. Ability to check if arbitrary files exists on the system without
having to log in.

7. Default users (admin, User1 and User2) are installed which all got
the same password set.

8. No protection against brute force attacks on the login screen.

9. Session cookie without HttpOnly and Secure protection.

10. No HTTP Strict Transport Security support is implementation.

11. No Content Security Policy implemented.

12. Privilege escalation possible for authenticated users if PHP
configuration optionregister_globals is set to true.

13. Outdated jQuery library that is probably vulnerable for cross-site
scripting attacks. The file /uploader/jquery-1.3.2.min.js is from February
20, 2009.


Identified low security vulnerabilities:

1. Local path disclosure via installation support scripts (in
/show_windows_path.phpand /show_linux_path.php).





More information available in my web log post at
<http://sijmen.ruwhof.net/weblog/411-multiple-critical-security-vulnerabilit
ies-including-a-backdoor-in-php-file-manager>
http://sijmen.ruwhof.net/weblog/411-multiple-critical-security-vulnerabiliti
es-including-a-backdoor-in-php-file-manager



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close