Sign : Vulnerability Just Ahead

Dutch security consultant Sijmen Ruwhof writes about the backdoor and vulnerabilities he found in the Php File Manager product made by Revived Wire Media :

“In July 2010 I was looking for a web based file manager that I could use on my own web server”.

“After looking at it, I did some shocking findings […]. This commercial off the shelf software product contains several critical security vulnerabilities that can be easily unauthenticated remotely exploited“.

“On top of that, it even includes a poorly secured backdoor, leaving this web based file manager completely open.”

I’ve contacted Revived Wire Media three times but got no response of them, so I’m going full disclosure.

“At this moment, confidential files can be be easily downloaded from Eneco, Nintendo, Danone, Nestle, Loreal, EON, Siemens,
Vattenfall,Oracle, Oxford,Hilton, T-Mobile, CBS, UPC, 3M and also a couple of banks and quite a lot of other companies (lesser known to me).

One company in America that uses the file manager is active in youth care and provides mental health and substance abuse services. It has 250 mental health professionals who are probably sharing all kinds of very confidential patient information via PHP File Manager.”

You can read the rest on Ruwhof’s website.

In a nutshell, the backdoor is a hidden admin account with the following credentials :

login: ****__DO_NOT_REMOVE_THIS_ENTRY__****
password: trevan44

This backdoor is in fact not really news, since it has already been reported in 2012 !