| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Jul 2015 03:35:01 +0200 From: "Sijmen Ruwhof" <sijmen@...undity.com> To: <fulldisclosure@...lists.org> Subject: [FD] Multiple critical security vulnerabilities (including a backdoor!) in PHP File Manager Multiple critical security vulnerabilities (including a backdoor!) in PHP File Manager I've found several critical security vulnerabilities in PHP File Manager. On top of that, it even includes a poorly secured backdoor, leaving this web based file manager completely open. I've contacted the vendor three times but got no response of them, so I'm going full disclosure. Identified critical security vulnerabilities: 1. Poorly secured backdoor user that compromises all security measurements. This user is located in file '/db/valid.users' and has user name '****__DO_NOT_REMOVE_THIS_ENTRY__****'. 2. User database in file '/db/valid.users' is completely unprotected and can be freely downloaded via any web browser. Password hashes stored in the user database are unsalted and are generated via the deprecated MD5 hash algorithm. Most of these hashes can be instantly reverted back to their original password via online MD5 reversing services. 3. Arbitrary and unauthenticated file uploads are possible because an old version (2.1.0) of the library Uploadify is used. PHP code can be uploaded and executed, compromising security completely. 4. There is no configuration option available to restrict the file extensions that are allowed to be uploaded by authenticated users: you can upload and also execute PHP files. Identified high security vulnerabilities: 1. Multiple cross-site scripting vulnerabilities, making identify theft attack scenario's possible. 2. No authentication or authorization checks are performed on files that are uploaded by users. If you know the internet address of a file, you can download it without being logged in. 3. Cross site request forgery is possible. Identified medium security vulnerabilities: 1. No password strength policy is implemented. A user can generate a password of one character. 2. A user if not forced to change the default passwords of all default installed users, such as the password for the administrator account. 3. PHP session files are stored in the web root. 4. Referrer leakages to vendor: they have the ability to know where you installed PHP File Manager. 5. File uploads are directly stored in the web root, not in a separate upload folder on the server out of the web root. 6. Ability to check if arbitrary files exists on the system without having to log in. 7. Default users (admin, User1 and User2) are installed which all got the same password set. 8. No protection against brute force attacks on the login screen. 9. Session cookie without HttpOnly and Secure protection. 10. No HTTP Strict Transport Security support is implementation. 11. No Content Security Policy implemented. 12. Privilege escalation possible for authenticated users if PHP configuration optionregister_globals is set to true. 13. Outdated jQuery library that is probably vulnerable for cross-site scripting attacks. The file /uploader/jquery-1.3.2.min.js is from February 20, 2009. Identified low security vulnerabilities: 1. Local path disclosure via installation support scripts (in /show_windows_path.phpand /show_linux_path.php). More information available in my web log post at <http://sijmen.ruwhof.net/weblog/411-multiple-critical-security-vulnerabilit ies-including-a-backdoor-in-php-file-manager> http://sijmen.ruwhof.net/weblog/411-multiple-critical-security-vulnerabiliti es-including-a-backdoor-in-php-file-manager _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists