Nintendo, Nestle, Loreal, Siemens, Oracle amongst many using a vulnerable PHP file manager

Update: 7:17 AM Pacific, June 29, 2015; the Siemens Social Media Team has responded:

 


Original post:

 

Sijmen Ruwhof recently posted a vulnerability disclosure that, in his words…

At this moment, confidential files can be be easily downloaded from Eneco, Nintendo, Danone, Nestle, Loreal, EON, Siemens, Vattenfall, Oracle, Oxford, Hilton, T-Mobile, CBS, UPC, 3M and also a couple of banks and quite a lot of other companies (lesser known to me).

In his very well-written post that exhaustively documents his discovery and journey thus far, he also points out that security researcher Stefan Horlacher from CSNC also found it in 2012, and that Revived Wire Media was contacted three times even back then by him, but he got no response from them.

The product in question is the PHP File Manager by Revived Wire; and as of this time – I’m getting a Page Not Found on the Revived Wire website. Interesting 404 customization..I wish they spent as much time looking at their email to see multiple security researchers responsibly reporting serious security vulnerabilities in their product that’s being used to manage confidential data by some very big names in the industry.

Customized 404 message at Revived Wire when I tried to look up the PHP File Manager product

Customized 404 message at Revived Wire when I tried to look up the PHP File Manager product

You may also like...

1 Response

  1. “I wish they spent as much time looking at their email to see multiple security researchers responsibly reporting serious security vulnerabilities in their product that’s being used to manage confidential data by some very big names in the industry.”

    Haha 😀

Leave a Reply

%d bloggers like this: