All The Codes Generated by PHP FormMail Generator are Vulnerable

Read-to-use web forms builder, PHP FormMail generator has multiple security vulnerabilities. This is a single instance website which creates PHP codes for standard web forms. Further, developers use this code to implement forms in WordPress and PHP websites. All these vulnerabilities have been discovered by Pouya Darabi (An Independent Security Researcher). These vulnerabilities are openly inviting an attacker to gain the access of webmail administration panel by sending some remote code scripts. An attacker could also obtain all the files from the hijacked server. In actual, the vulnerabilities exist in PHP code which has been generated by PHP FormMail generator. The PHP code is allowing attackers to bypass user authentication.

List of Vulnerabilities

CVE-2016-9482 (Authentication Bypass Vulnerability)

The security researcher reported that it is an “Authentication Bypass” vulnerability. Attackers could exploit this vulnerability by assuming immutable data. An unauthorized remote attacker may bypass authorization process by directly navigation the code to /admin.php?mod=admin&func=panel. During his research, Pouya successfully got the access to the administration panel.

CVE-2016-9483 (Deserialization of Untrusted Data)

A security researcher found that the generated PHP code is converting untrusted strings into objects (deserialization). The generated PHP Code is performing this action alongside the phpfmg_filman_download() function. An attacker can exploit this vulnerability to inject a malicious PHP code. Moreover, he can exploit this vulnerability by using another vulnerability (CVE-2016-9484) to perform an LFI (local File Inclusion) attack. A successful LFI attack could allow attackers to obtain all the files located on the server.

CVE-2016-9484 (Path Traversal Vulnerability)

This security vulnerability is a Path Traversal vulnerability, in which an attacker can access arbitrary files on the server. The generated PHP code is not capable of validating user input folder directories in a proper way.

Affected Users

All those PHP Codes which have been generated by users before 6 December 2016 are vulnerable. To patch these security vulnerabilities, PHP FormMail Generator has updated its website. You can regenerate PHP codes for your forms by using the current website. You can also apply manual patches to fix all these security vulnerabilities.

Other Hot Hacking News: