[FD] Multiple critical security vulnerabilities (including a backdoor!) in PHP File Manager
Multiple critical security vulnerabilities (including a backdoor!) in PHP File Manager I've found several critical security vulnerabilities in PHP File Manager. On top of that, it even includes a poorly secured backdoor, leaving this web based file manager completely open. I've contacted the vendor three times but got no response of them, so I'm going full disclosure. Identified critical security vulnerabilities: 1. Poorly secured backdoor user that compromises all security measurements. This user is located in file '/db/valid.users' and has user name '__DO_NOT_REMOVE_THIS_ENTRY__'. 2. User database in file '/db/valid.users' is completely unprotected and can be freely downloaded via any web browser. Password hashes stored in the user database are unsalted and are generated via the deprecated MD5 hash algorithm. Most of these hashes can be instantly reverted back to their original password via online MD5 reversing services. 3. Arbitrary and unauthenticated file uploads are possible because an old version (2.1.0) of the library Uploadify is used. PHP code can be uploaded and executed, compromising security completely. 4. There is no configuration option available to restrict the file extensions that are allowed to be uploaded by authenticated users: you can upload and also execute PHP files. Identified high security vulnerabilities: 1. Multiple cross-site scripting vulnerabilities, making identify theft attack scenario's possible. 2. No authentication or authorization checks are performed on files that are uploaded by users. If you know the internet address of a file, you can download it without being logged in. 3. Cross site request forgery is possible. Identified medium security vulnerabilities: 1. No password strength policy is implemented. A user can generate a password of one character. 2. A user if not forced to change the default passwords of all default installed users, such as the password for the administrator account. 3. PHP session files are stored in the web root. 4. Referrer leakages to vendor: they have the ability to know where you installed PHP File Manager. 5. File uploads are directly stored in the web root, not in a separate upload folder on the server out of the web root. 6. Ability to check if arbitrary files exists on the system without having to log in. 7. Default users (admin, User1 and User2) are installed which all got the same password set. 8. No protection against brute force attacks on the login screen. 9. Session cookie without HttpOnly and Secure protection. 10. No HTTP Strict Transport Security support is implementation. 11. No Content Security Policy implemented. 12. Privilege escalation possible for authenticated users if PHP configuration optionregister_globals is set to true. 13. Outdated jQuery library that is probably vulnerable for cross-site scripting attacks. The file /uploader/jquery-1.3.2.min.js is from February 20, 2009. Identified low security vulnerabilities: 1. Local path disclosure via installation support scripts (in /show_windows_path.phpand /show_linux_path.php). More information available in my web log post at http://sijmen.ruwhof.net/weblog/411-multiple-critical-security-vulnerabilit ies-including-a-backdoor-in-php-file-manager http://sijmen.ruwhof.net/weblog/411-multiple-critical-security-vulnerabiliti es-including-a-backdoor-in-php-file-manager ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
Hi Joey, In my research I found out that the 'x-frame-options' solution doesn't protect against session hijacking via session cookie theft. It is very important that you also need to add 'HttpOnly' flags on all cookies. I've published an overview of my research, additional mitigations and supporting evidence in a web log article: http://sijmen.ruwhof.net/weblog/427-mitigations-against-critical-universal-c ross-site-scripting-vulnerability-in-fully-patched-internet-explorer-10-and- 11 Kind regards, Sijmen Ruwhof Re: Major Internet Explorer Vulnerability - NOT Patched _ From: Joey Fowler joey () tumblr com Date: Mon, 2 Feb 2015 15:53:10 -0500 _ Hi David, nice is an understatement here. I've done some testing with this one and, while there *are* quirks, it most definitely works. It even bypasses standard HTTP-to-HTTPS restrictions. As long as the page(s) being framed don't contain X-Frame-Options headers (with `deny` or `same-origin` values), it executes successfully. Pending the payload being injected, most Content Security Policies are also bypassed (by injecting HTML instead of JavaScript, that is). It looks like, through this method, all viable XSS tactics are open! Nice find! Has this been reported to Microsoft outside (or within) this thread? -- Joey Fowler Senior Security Engineer, Tumblr On Sat, Jan 31, 2015 at 9:18 AM, David Leo david.leo () deusen co uk wrote: Deusen just published code and description here: http://www.deusen.co.uk/items/insider3show.3362009741042107/ http://www.deusen.co.uk/items/insider3show.3362009741042107/ which demonstrates the serious security issue. Summary An Internet Explorer vulnerability is shown here: Content of dailymail.co.uk can be changed by external domain. How To Use 1. Close the popup window(confirm dialog) after three seconds. 2. Click Go. 3. After 7 seconds, Hacked by Deusen is actively injected into dailymail.co.uk. Technical Details Vulnerability: Universal Cross Site Scripting(XSS) Impact: Same Origin Policy(SOP) is completely bypassed Attack: Attackers can steal anything from another domain, and inject anything into another domain Tested: Jan/29/2015 Internet Explorer 11 Windows 7 If you like it, please reply nice. Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/