Nintendo, Nestle, Loreal, Siemens, Oracle amongst many using a vulnerable PHP file manager
Update: 7:17 AM Pacific, June 29, 2015; the Siemens Social Media Team has responded:
@Sujeet Our sincere thanks for notifying us of this. We are looking into it. Best regards, Your Siemens Social Media Team.
— Siemens (@Siemens) July 29, 2015
Original post:
Sijmen Ruwhof recently posted a vulnerability disclosure that, in his words…
At this moment, confidential files can be be easily downloaded from Eneco, Nintendo, Danone, Nestle, Loreal, EON, Siemens, Vattenfall, Oracle, Oxford, Hilton, T-Mobile, CBS, UPC, 3M and also a couple of banks and quite a lot of other companies (lesser known to me).
In his very well-written post that exhaustively documents his discovery and journey thus far, he also points out that security researcher Stefan Horlacher from CSNC also found it in 2012, and that Revived Wire Media was contacted three times even back then by him, but he got no response from them.
The product in question is the PHP File Manager by Revived Wire; and as of this time – I’m getting a Page Not Found on the Revived Wire website. Interesting 404 customization..I wish they spent as much time looking at their email to see multiple security researchers responsibly reporting serious security vulnerabilities in their product that’s being used to manage confidential data by some very big names in the industry.
Customized 404 message at Revived Wire when I tried to look up the PHP File Manager product
“I wish they spent as much time looking at their email to see multiple security researchers responsibly reporting serious security vulnerabilities in their product that’s being used to manage confidential data by some very big names in the industry.”
Haha 😀