In July 2010 Ruwhof was looking for a web base file manager that he could use in his own web server when he came across with PHP file Manager.
At the time, he found out that the product had several critical vulnerabilities that could be easily exploited.
“After looking at it, I did some shocking findings which I’ll disclose in this article. This commercial off the shelf software product contains several critical security vulnerabilities that can be easily unauthenticated remotely exploited. On top of that, it even includes a poorly secured backdoor, leaving this web based file manager completely open.” states Sijmen Ruwhof.
Sijmen Ruwhof tried 3 times to get in touch with Revived Wire Media( the owner of PHP file Manager) without success, so he choose to disclose the security issues to the public.
Known companies as Eneco, Nintendo, Danone, Nestle, Loreal, EON, Siemens, Vattenfall, Oracle, Oxford, Hilton, T-mobile, CBS, UPC, 3M, etc. etc. are exposed to cyber attacks because they currently are using the product.
Here are some of the bugs he discovered in the PHP file Manager:
”Password hashes stored in the user database are unsalted and are generated via the deprecated MD5 hash algorithm. Most of these hashes can be instantly reverted back to their original password via online MD5 reversing services,” Ruwhof wrote Monday in a post to Full Disclosure.
Besides all this, the software doesn’t have any password policy, suffers from cross-site scripting and cross-site request forgery vulnerabilities, it’s vulnerable to brute-force attacks, and stores PHP session files in the web root.
5 years it is a lot of time, and it should be enough to fix all these vulnerabilities, anyway it is uncertain if Revived Wire Media will fix all the vulnerabilities in the future because it looks like PHP File Manager haven’t been updated in the last 4 years.
Enjoy the detailed analysis published by Ruwhof.
About the Author Elsio Pinto
Edited by Pierluigi Paganini
(Security Affairs – PHP File Manager, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.