phpFileManager Authentication Bypass Vulnerability in Versions 1.7.9

A vulnerability allowing authentication bypass has been identified in phpFileManager version 1.7.9. This issue arises from loose type comparison in password hash validation, enabling attackers to log in by crafting specific password hashes that begin with '0e' or '00e'. Exploiting this vulnerability allows for unauthorized access and the ability to upload malicious PHP files to the server.

Impact

Exploitation of this vulnerability allows for authentication bypass, granting unauthorized users access to the application. Additionally, it enables the upload of malicious PHP files, which could be executed on the server, potentially leading to remote code execution.

Reproduction

To reproduce this vulnerability, create a password hash that begins with '0e' or '00e'. This can be done using certain PHP versions that interpret these prefixes as scientific notation. Once the hash is crafted, it can be used to bypass authentication by exploiting the loose type comparison with the default 'loggedon' value, which is '0'. After logging in, upload a PHP file, such as 'shell.php', containing a payload that could be executed on the server.