A critical authentication bypass vulnerability, identified as CVE-2023-53894, exists in phpfm products. This flaw allows an unauthenticated attacker to gain administrative access by exploiting a weakness in how passwords are verified, potentially leading to a complete system compromise by uploading and executing malicious code.

The vulnerability is caused by a loose type comparison (using == instead of the strict === operator in PHP) during the password validation process. When PHP compares two strings that appear to be numeric (e.g., "0e123" and "0e456"), it may evaluate them as floating-point numbers. In this case, both strings are interpreted as zero, resulting in a successful match. An attacker can exploit this by providing a password whose hash begins with "0e" or "00e" and contains only digits thereafter. If the stored password hash for a legitimate user also follows this pattern, the comparison will incorrectly succeed, granting the attacker access to that user's account without knowing the actual password. Once authenticated, the attacker can leverage the application's file upload functionality to place a malicious PHP script on the server, leading to remote code execution.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation allows an attacker to completely bypass authentication and gain administrative control over the affected application. The primary business impact is the high risk of a full server compromise, which can lead to significant consequences including theft of sensitive data, service disruption, website defacement, and the server being used as a foothold to launch further attacks against the internal network. The potential for reputational damage and financial loss is severe.

Immediate Action: The primary remediation is to apply the security patches provided by the vendor immediately. Organizations should update all instances of phpfm to the latest secure version. Consult the official vendor security advisory for specific patch information and installation instructions. After patching, it is crucial to review server access logs for any signs of unauthorized logins or suspicious file uploads that may have occurred prior to the update.

Proactive Monitoring: Monitor web server and application logs for successful authentication events from unknown or suspicious IP addresses. Specifically, look for POST requests to login endpoints followed by file upload activity, particularly for files with extensions like .php, .phtml, or .phar. Implement file integrity monitoring on the web server to detect the creation of new, unauthorized files in web-accessible directories.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Restrict access to the phpfm administrative interface to trusted IP addresses at the network or firewall level.
• Deploy a Web Application Firewall (WAF) with rules designed to detect and block common PHP type juggling attack patterns.
• If the file upload functionality is not essential for business operations, disable it within the application's configuration.

Public Exploit Available: true

Given the critical 9.8 CVSS score and the availability of public exploits, this vulnerability represents an immediate and severe threat to the organization. We strongly recommend that the immediate action plan be executed without delay. All affected phpfm instances must be patched or taken offline until they can be secured. Due to the high likelihood of active exploitation, all vulnerable systems should be proactively investigated for signs of compromise, even after patching is complete.