PhpMyExplorer is a PHP application that allows you to easily update your site online without any FTP access. A security vulnerability in the product allows attackers to view and read files that reside outside the normal bound directory.
Credit:
The information has been provided by Ben Ford.
Exploit:
Using a URL such as:
/index.php?chemin=..%2F..%2F..%2F..%2F..%2F..%2Fetc
Any user can browse the /etc/ directory and view any files the web server has read access to.
Workaround: To lock PhpMyExplorer:
If you do not limit the access of PhpMyExplorer, this application becomes a true hole of security. Indeed, any person who takes note of the presence of this application on your site can modify the contents or even erase the totality of your site. In order to avoid that, it is necessary to use the files access limitation of your Web server. For example, the following explains how to make access limitation for Apache web server.
You must create the following three files (in text format):
* .htaccess file in the directory of the application to limit the access to this directory,
* a password file in the secret directory,
* .htaccess file in the same directory as the password file to limit access to this file.
Contents of the .htaccess file in the application directory:
AuthUserFile /secret/password
AuthName "Access restraint"
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>
The password file is composed of the list of users and their encrypted password with the UNIX encoding.
