Researcher finds several vulnerabilities in PHP File Manager

Researcher Sijmen Ruwhof uncovered several critical security vulnerabilities in web-based PHP File Manager that leave databases vulnerable to bruteforce login attempts and unauthorized remote access.

“At this moment, confidential files can be easily downloaded from Eneco, Nintendo, Danone, Nestle, Loreal, EON, Siemens, Vattenfall, Oracle, Oxford, Hilton, T-Mobile, CBS, UPC, 3M and also a couple of banks and quite a lot of other companies,” Ruwhof said in a blog post.

The file manager is prone to brute force attacks due to weak password hashing that can be reverted to its original format.

“Password hashes stored in the user database are unsalted and are generated via the deprecated MD5 hash algorithm,” Ruwhof said. He explained that an attacker could revert the hashes to their original passwords using an online MD5 reversing service.

The file manager also has a weak password strength policy, a lack of variation in default passwords and measures that don't force the user to change default passwords. Other flaws include an unsecured backdoor, the ability for users to upload arbitrary and unauthenticated files, and no configuration to restrict file extensions.

Ruwhof also identified several high-security risks including multiple cross-site scripting vulnerabilities, a lack of authentication or authorization checks for downloads, and the possibility of cross site forgery. Several of the vulnerabilities were disclosed privately to Revived Wire Media, the company that makes the software, nearly five years ago.

First published in US sister publication SCMagazine.com.