Application security, Network Security, Vulnerability Management

Multiple vulnerabilities spotted in PHP FormMail Generator

Independent Security Researcher Pouya Darabi spotted multiple vulnerabilities in the PHP FormMail Generator site that could allow a remote user to gain access to the form's administrator panel or to obtain files from the server.

The vulnerabilities in the single-instance website that generates PHP code for standard web forms for inclusion into PHP or WordPress websites are caused by the generator producing code which is vulnerable to authentication bypass and unsafe deserialization of untrusted data, according to a Dec. 8 security advisory.

 “A remote unauthenticated user may bypass authentication to access the administrator panel by navigating directly to: /admin.php?mod=admin&func=panel,” the advisory said.

The website has since been patched and an updated version was made available on Dec. 6. Those who used the site prior to the update are encouraged to regenerate the PHP form code using the updated website, or to manually apply patches.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.