CVE-2023-53894
Authentication Bypass in phpfm 1.7.9 Enables Remote Code Upload
Publication date: 2025-12-16
Last updated on: 2025-12-16
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpfm | phpfm | 1.7.9 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1390 | The product uses an authentication mechanism to restrict access to specific users or identities, but the mechanism does not sufficiently prove that the claimed identity is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in phpfm 1.7.9 is an authentication bypass caused by PHP's loose type comparison during password hash validation. Attackers can craft password hashes starting with prefixes like '0e' or '00e' which PHP interprets as zero in scientific notation. Because the application uses loose comparison (==) to check the password hash against the logged-on status, these specially crafted hashes evaluate as true, allowing attackers to bypass authentication without knowing the real password. This lets them log in and upload malicious PHP files to the server. [2]
How can this vulnerability impact me? :
This vulnerability allows attackers to bypass authentication and gain unauthorized access to the phpfm application. Once authenticated, attackers can upload malicious PHP files, such as web shells, to the server. This can lead to remote code execution, allowing attackers to execute arbitrary commands on the server, potentially compromising the entire system and its data. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can involve checking for unauthorized access or uploaded PHP shell files on the server, especially files like 'shell.php' in web-accessible directories. Monitoring HTTP POST requests to the phpfm endpoint that include suspicious PHP payloads can help identify exploitation attempts. Since the vulnerability involves authentication bypass via crafted password hashes starting with '0e' or '00e', reviewing authentication logs for unusual login patterns or successful logins without valid credentials is useful. Specific commands are not provided in the resources, but monitoring web server logs for POST requests to phpfm and scanning for unexpected PHP files in upload directories are recommended. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the phpfm application, disabling or removing the vulnerable phpfm versions (1.6.1 through 1.7.9), and preventing file uploads if possible. Applying strict type comparison in the authentication logic or updating to a patched version when available is critical. Additionally, monitoring and removing any uploaded malicious PHP files and restricting execution permissions in upload directories can reduce risk. Using network controls to block unauthorized access to the phpfm endpoint and reviewing server configurations to limit PHP execution in upload folders are also recommended. [2]