Security Audit

Our Web Application Pentest ( WAP) attempts to address the Owasp top 10 & SANS top 20 web application vulnerabilities and other exploitable loopholes of your web application . Along with it our WAP team also test web applications for Business logic flaws that can directly or indirectly effect the functioning of application.

Trainings

We are here to help you solve your biggest query- where and how to start? CDI has brought various courses in Ethical Hacking in Chandigarh where all you technology lovers will be given the much needed push to move forward and create a niche for yourself in the field. From Beginner to Expert level we have many kinds of training patterns.

Call Us : +91-771045-0011 | +91-771045-0022

All The Codes Generated by PHP FormMail Generator are Vulnerable

 

 

Read-to-use web forms builder, PHP FormMail generator has multiple security vulnerabilities. This is a single instance website which creates PHP codes for standard web forms. Further, developers use this code to implement forms in WordPress and PHP websites. All these vulnerabilities have been discovered by Pouya Darabi (An Independent Security Researcher). These vulnerabilities are openly inviting an attacker to gain the access of webmail administration panel by sending some remote code scripts. An attacker could also obtain all the files from the hijacked server. In actual, the vulnerabilities exist in PHP code which has been generated by PHP FormMail generator. The PHP code is allowing attackers to bypass user authentication.

 

List of Vulnerabilities

CVE-2016-9482 (Authentication Bypass Vulnerability)

The security researcher reported that it is an “Authentication Bypass” vulnerability. Attackers could exploit this vulnerability by assuming immutable data. An unauthorized remote attacker may bypass authorization process by directly navigation the code to /admin.php?mod=admin&func=panel. During his research, Pouya successfully got the access to the administration panel.

 

CVE-2016-9483 (Deserialization of Untrusted Data)

A security researcher found that the generated PHP code is converting untrusted strings into objects (deserialization). The generated PHP Code is performing this action alongside the phpfmg_filman_download() function. An attacker can exploit this vulnerability to inject a malicious PHP code. Moreover, he can exploit this vulnerability by using another vulnerability (CVE-2016-9484) to perform an LFI (local File Inclusion) attack. A successful LFI attack could allow attackers to obtain all the files located on the server.

 

CVE-2016-9484 (Path Traversal Vulnerability)

This security vulnerability is a Path Traversal vulnerability, in which an attacker can access arbitrary files on the server. The generated PHP code is not capable of validating user input folder directories in a proper way.

 

Affected Users

All those PHP Codes which have been generated by users before 6 December 2016 are vulnerable. To patch these security vulnerabilities, PHP FormMail Generator has updated its website. You can regenerate PHP codes for your forms by using the current website. You can also apply manual patches to fix all these security vulnerabilities.

 

Other Hot Hacking News:

80 Sony IP CCTV Camera Models Are Affected With Two Secret Backdoors

Update Your Chrome Browser to Latest Version "Chrome 55"- 36 Security Vulnerabilities Patched

Distributed Guessing Attack- A Six Seconds Attack to Hack VISA Payment System without Card Details

Leave a Reply

Name
Email id
Contact No
Comment

See more of Cyber Intelligence by logging in.
Connect with cyber security experts,Discover job opportunities,Online Training, Information Security Advisory and lot more.