Works with Wins/linux installed running any php/apache install, Administrators need to becarful of the PHP exploite Know as [ PHPfm.php ]. Even if you have a V/S account/Accounts installed this need to be patched Asap.

Could you be more specific, maybe leaving some links to this
exploits docs?

PHPFM isn't an exploit. It's a file manager...

Maybe another exploit installed PHPFM, but the PHPFM project is in itself innocent.

PHPFM isn't an exploit. It's a file manager...
This is true but, if any of your users install this program on their site they could have full access to other users sites.

For instance, they could access Password protected directories, perform defacements of your users Web sites etc...

Maybe another exploit installed PHPFM, but the PHPFM project is in itself innocent.
Phpfm will do this right out of the box. No code modification required.

Ron: I was informed about this from a friend and seen it with my own eyes.
What he did was install this on his web site then logged off.
Then went to his www site ran the phpfm script and to my suprise! it listed all the other users sites/databases etc...
So we looked for his site found it opened it and it showed every folder/file/script/ everything.I was shocked.
We then contacted the company to make them aware of this issue
So if anyone wants to protect their users from getting hacked! I would suggest that they not allow their users to install this program.

I don't know how IIS would handle this, nor how Apache on win32 might, but vhosts in Apache on *nix can be run in user mode.

This would effectively only allow the PHP script to see and modify the files that the user has access to. Which in most cases is all, I agree, but it is quite possible to secure a machine so that even malicious scripts cannot cause any trouble except for one vhost.

Running multiple Apache's with a parent proxy Apache is one way. Using the Apache perchild MPM is another.

(yeah, got slightly off-topic and off-forum)

Originally posted by MajorCrazy
This is true but, if any of your users install this program on their site they could have full access to other users sites.

For instance, they could access Password protected directories, perform defacements of your users Web sites etc...


Phpfm will do this right out of the box. No code modification required.

Ron: I was informed about this from a friend and seen it with my own eyes.
What he did was install this on his web site then logged off.
Then went to his www site ran the phpfm script and to my suprise! it listed all the other users sites/databases etc...
So we looked for his site found it opened it and it showed every folder/file/script/ everything.I was shocked.
We then contacted the company to make them aware of this issue
So if anyone wants to protect their users from getting hacked! I would suggest that they not allow their users to install this program.

This can probably happen on Windows servers because there is no such thing as a chroot environment. Without chroot, any user with scripting ability (with or without phpfm) would be able to browse other sites on the web server. Any password protection that is setup through the web server does not apply at the system level, so users would be free to roam about other sites. However, if the admin sets up proper ownership and permission on their sites, then users will not be able to modify files that they do not own.

This is not even an issue on Linux systems, since Linux can use both chroot and suexec to make sure users do not wander around the system and change files. chroot prevents users from even seeing other users files, and suexec makes their scripts run as themselves (instead of the web server) so they couldn't modify anything if they wanted to.

I would blame any problems with PHPFM on poor administration before I start pointing fingers at bad code :) Even if a user uploaded exploitable code, a good admin will have their server set up so any damage is localized to that user.

Just a note about reporting exploits ..

If you believe there is an exploit, please post links to information about the exploit and possible fixes. If it is a serious exploit, you should contact the software vendor first and see if they know about it and if they have a way to fix it. Seasoned administrators are unlikely to do anything without supporting information, and new administrators are likely to get scared and start fixing things that are not broken. Also, poor administration practices do not count as an exploit.

-knightfoo

By no means did I mean to panic anyone! I just wanted to make other admins aware of this issue, and knightfoo- your right about contacting the software vendor, he tried and they havent responded yet. He did get in touch with his service provider and they told him they would look into this issue.

My main reason for posting this was so other admins would know to look for this script and keep an eye open and see what they are doing with it.

The server that my friend conducts his business on is, redhat 7.3.i386 .
He also has a wins2k site for messing around on.
None of the above are dedicated servers.He rents space off of a mid size company and phpfm works on both of them.


I did however tell him about ServerBeach :) .

Besides if code exploits your preset premissons then thats a hack and thats an exploite! not the other way around :). tools are tools anyway you look at them. And Look at what all of us that use windows servers are facing RPC attacks!!!Code Flaw?Premission Flaw?

Like I posted above, Just making admins aware of this issue, new or old. All admins need to know this :)