Security Experts:

Many High-Profile Firms Using Vulnerable PHP File Manager: Researcher

A researcher says he has identified several serious vulnerabilities in a PHP file manager application that is used by many high profile organizations.

PHP File Manager from Revived Wire Media is a commercial web-based file manager. The application is no longer supported, but Dutch security consultant Sijmen Ruwhof has found that it’s still used by numerous companies.

Ruwhof discovered the vulnerabilities in PHP File Manager back in 2010 when he first purchased the application. A couple of months ago, he tested the application again to see if the security holes he found had been fixed.

Since the developer hasn’t patched the vulnerabilities and hasn’t responded to his emails, the researcher decided to disclose the existence of the bugs to warn users whose files could be at risk.

One of the most serious security issues is related to the existence of a default user account that can be leveraged for complete backdoor access to systems running PHP File Manager. This vulnerability was previously reported in 2012 by Stefan Horlacher. 

Another critical flaw is that the user database is completely unprotected, and the MD5 password hashes stored in it can be easily cracked. The researcher has also identified a couple of arbitrary file upload vulnerabilities that can be exploited to upload and execute PHP files.

The list of vulnerabilities classified by Ruwhof as having high severity are several cross-site scripting (XSS) bugs, lack of authentication and authorization for user-uploaded files, and a cross-site request forgery (CSRF) flaw.

Ruwhof has also reported identifying over a dozen medium severity issues that expose PHP File Manager users to attacks.

The latest release of Revived Wire Media’s PHP File Manager appears to be version 4.5. This version was released sometime in 2010-2011 and the application hasn’t been updated since.

Despite the lack of updates, Ruwhof discovered that the app is still used by many high profile companies.

“At this moment, confidential files can be easily downloaded from Eneco, Nintendo, Danone, Nestle, Loreal, EON, Siemens, Vattenfall, Oracle, Oxford, Hilton, T-Mobile, CBS, UPC, 3M and also a couple of banks and quite a lot of other companies (lesser known to me),” Ruwhof said in a blog post on Monday.

According to the expert, one of the organizations using PHP File Manager is an American youth care company that provides substance abuse and mental health services. The researcher believes this organization has 250 professionals who are sharing confidential patient information using the vulnerable application.

Revived Wire Media has not responded to SecurityWeek's request for comment by the time of publication.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.