PhpMyExplorer Directory traversal

OWASP 2013-A7 OWASP 2017-A5 CAPEC-213 CWE-22 WASC-33 WSTG-ATHZ-01

PhpMyExplorer is a PHP application that allows a user to update a website online without any FTP access easily. Many servers have a vulnerability through which, the host application will allow an attacker to view and read files that reside outside the regular bound directory. An attacker who takes note of the presence of the phpMyExlorer on the web application can modify the contents or even erase the site entirely. This vulnerability can be exploited through directory traversal attack. Directory traversal attack is an attack through which an attacker can access and modify files outside of webroot folder in the host server using HTTP. The best method to fix this vulnerability is to implement the files access limitation of the Web server.

Example

The following URL is an example of this vulnerability:

https://www.example.beaglesecurity.com/index.php?chemin=..%2F..%2F..%2F..%2F..%2F..%2Fetc

Under this vulnerability, any user can browse the /etc/ directory and view any files in the web server with read access. The %2F is the URL Encoded value of the Forward Slash (/).

Impact

The attacker can easily exploit this vulnerability to gain unauthorised access to the application or access the underlying database. The attacker can also gain access to all the files and folders outside of Webroot and access restricted and sensitive information to comprise the application. He can also impersonate a user to steal information from the application. This type of attack will not leave any trails behind. Thus, detecting this vulnerability is hard.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Use the file access limitation for your Web server.
  • Apply all the latest update patches.
  • Install the latest version of your web server software.
  • Filter metacharacters from the user input.
  • Restrict the access to the .htaccess file in the directory of the application.
  • Place the .htaccess file in the same directory as that of the password file to limit access.

Latest Articles