Connect with us

Hi, what are you looking for?



Many High-Profile Firms Using Vulnerable PHP File Manager: Researcher

A researcher says he has identified several serious vulnerabilities in a PHP file manager application that is used by many high profile organizations.

A researcher says he has identified several serious vulnerabilities in a PHP file manager application that is used by many high profile organizations.

PHP File Manager from Revived Wire Media is a commercial web-based file manager. The application is no longer supported, but Dutch security consultant Sijmen Ruwhof has found that it’s still used by numerous companies.

Ruwhof discovered the vulnerabilities in PHP File Manager back in 2010 when he first purchased the application. A couple of months ago, he tested the application again to see if the security holes he found had been fixed.

Since the developer hasn’t patched the vulnerabilities and hasn’t responded to his emails, the researcher decided to disclose the existence of the bugs to warn users whose files could be at risk.

One of the most serious security issues is related to the existence of a default user account that can be leveraged for complete backdoor access to systems running PHP File Manager. This vulnerability was previously reported in 2012 by Stefan Horlacher. 

Another critical flaw is that the user database is completely unprotected, and the MD5 password hashes stored in it can be easily cracked. The researcher has also identified a couple of arbitrary file upload vulnerabilities that can be exploited to upload and execute PHP files.

The list of vulnerabilities classified by Ruwhof as having high severity are several cross-site scripting (XSS) bugs, lack of authentication and authorization for user-uploaded files, and a cross-site request forgery (CSRF) flaw.

Advertisement. Scroll to continue reading.

Ruwhof has also reported identifying over a dozen medium severity issues that expose PHP File Manager users to attacks.

The latest release of Revived Wire Media’s PHP File Manager appears to be version 4.5. This version was released sometime in 2010-2011 and the application hasn’t been updated since.

Despite the lack of updates, Ruwhof discovered that the app is still used by many high profile companies.

“At this moment, confidential files can be easily downloaded from Eneco, Nintendo, Danone, Nestle, Loreal, EON, Siemens, Vattenfall, Oracle, Oxford, Hilton, T-Mobile, CBS, UPC, 3M and also a couple of banks and quite a lot of other companies (lesser known to me),” Ruwhof said in a blog post on Monday.

According to the expert, one of the organizations using PHP File Manager is an American youth care company that provides substance abuse and mental health services. The researcher believes this organization has 250 professionals who are sharing confidential patient information using the vulnerable application.

Revived Wire Media has not responded to SecurityWeek’s request for comment by the time of publication.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.