Home / vulnerabilities PHP File Manager Backdoor / XSS / CSRF / Shell Upload
Posted on 27 July 2015
Source : packetstormsecurity.org Link
Multiple critical security vulnerabilities (including a backdoor!) in PHP
File Manager
I've found several critical security vulnerabilities in PHP File Manager. On
top of that, it even includes a poorly secured backdoor, leaving this web
based file manager completely open. I've contacted the vendor three times
but got no response of them, so I'm going full disclosure.
Identified critical security vulnerabilities:
1. Poorly secured backdoor user that compromises all security
measurements. This user is located in file '/db/valid.users' and has user
name '****__DO_NOT_REMOVE_THIS_ENTRY__****'.
2. User database in file '/db/valid.users' is completely unprotected and
can be freely downloaded via any web browser. Password hashes stored in the
user database are unsalted and are generated via the deprecated MD5 hash
algorithm. Most of these hashes can be instantly reverted back to their
original password via online MD5 reversing services.
3. Arbitrary and unauthenticated file uploads are possible because an
old version (2.1.0) of the library Uploadify is used. PHP code can be
uploaded and executed, compromising security completely.
4. There is no configuration option available to restrict the file
extensions that are allowed to be uploaded by authenticated users: you can
upload and also execute PHP files.
Identified high security vulnerabilities:
1. Multiple cross-site scripting vulnerabilities, making identify theft
attack scenario's possible.
2. No authentication or authorization checks are performed on files that
are uploaded by users. If you know the internet address of a file, you can
download it without being logged in.
3. Cross site request forgery is possible.
Identified medium security vulnerabilities:
1. No password strength policy is implemented. A user can generate a
password of one character.
2. A user if not forced to change the default passwords of all default
installed users, such as the password for the administrator account.
3. PHP session files are stored in the web root.
4. Referrer leakages to vendor: they have the ability to know where you
installed PHP File Manager.
5. File uploads are directly stored in the web root, not in a separate
upload folder on the server out of the web root.
6. Ability to check if arbitrary files exists on the system without
having to log in.
7. Default users (admin, User1 and User2) are installed which all got
the same password set.
8. No protection against brute force attacks on the login screen.
9. Session cookie without HttpOnly and Secure protection.
10. No HTTP Strict Transport Security support is implementation.
11. No Content Security Policy implemented.
12. Privilege escalation possible for authenticated users if PHP
configuration optionregister_globals is set to true.
13. Outdated jQuery library that is probably vulnerable for cross-site
scripting attacks. The file /uploader/jquery-1.3.2.min.js is from February
20, 2009.
Identified low security vulnerabilities:
1. Local path disclosure via installation support scripts (in
/show_windows_path.phpand /show_linux_path.php).
More information available in my web log post at
<http://sijmen.ruwhof.net/weblog/411-multiple-critical-security-vulnerabilit
ies-including-a-backdoor-in-php-file-manager>
http://sijmen.ruwhof.net/weblog/411-multiple-critical-security-vulnerabiliti
es-including-a-backdoor-in-php-file-manager