Multiple critical vulnerabilities have existed, some for nearly five years, in PHP File Manager, a web-based file manager used by several high profile corporations.

According to Sijmen Ruwhof, a security consultant and penetration tester based in the Netherlands, some of the issues have been present in the software for the last five years. After three failed attempts to get in touch with Revived Wire Media, the Virginia-based company behind the product, Ruwhof opted on Monday to disclose the issues publicly.

Perhaps the most alarming issue Ruwhof discovered is a shoddily built backdoor that if tripped, could give an attacker access to the file manager. Ruwhof found the username that gave him access to the software in the first line of a text-based user database.

That same database that Ruwhof stumbled upon – downloadable on any web browser – also contains a cache of sensitive information, including “user names, password hashes, binary based authorization configuration and web server paths where users may store their files in.”

“Password hashes stored in the user database are unsalted and are generated via the deprecated MD5 hash algorithm. Most of these hashes can be instantly reverted back to their original password via online MD5 reversing services,” Ruwhof wrote Monday in a post to Full Disclosure.

Ruwhof claims that he first discovered some of the issues after purchasing the File Manager for $5 in 2010 and decided to revisit the vulnerabilities recently.

In a longer, more in depth write up of his research on his site, Ruwhof points out that another security researcher, Stefan Horlacher with the Swiss firm Company Security, discovered the same issue in 2012. Like him, Horlacher also tried to contact the company three times without success.

On top of the backdoor, the software also uses an outdated version of the jQuery library Uploadify. If exploited, a bug from 2009 in the library could make it easy for an attacker to create an administrator user and from there, once authenticated, upload and execute their own PHP script files.

Ruwhof also warns that when users upload files, the software fails to carry out an authentication or authorization check on them.

A slew of password issues plague the software as well: Since no password policy is enforced by the software a user can generate a password composed of one character. While administrators are required to change their passwords, Ruwhof claims that users aren’t forced to change the default passwords for all default installed users.

While less pressing than the aforementioned vulnerabilities, the software also suffers from a handful of other issues, including cross-site scripting and cross-site request forgery vulnerabilities that could open up companies using the software to identity theft attacks, warns Ruwhof. Manager can also let attackers check if arbitrary files exist on systems without logging in, doesn’t protect against brute force login attacks, and stores PHP session files in the web root, according to the researcher.

Ruwhof maintains that companies such as Nestle, Nintendo, Loreal, Siemens, CBS, and 3M use the software but said he hasn’t tried to use the backdoor on those installations.

It’s unclear when or if Revived Wire Media will address the vulnerabilities. Emails from Threatpost to the company, which haven’t updated their Twitter since 2010, went unanswered Monday morning.

Revived Wire Media’s website claims 4.5, the vulnerable version, is the most recent version of the software, but Horlacher’s security advisory from 2012 also calls out v. 4.5, suggesting the File Manager hasn’t been updated in nearly four years

Categories: Vulnerabilities, Web Security