It’s recently been discovered that PHP File Manager user database in file ‘/db/valid.users’ is completely unprotected and can be freely downloaded via any web browser. Password hashes stored in the user database are unsalted and are generated via the deprecated MD5 hash algorithm. Most of these hashes can be instantly reverted back to their original password via online MD5 reversing services.

To make matters worse, a backdoor exists in a Poorly secured backdoor user that compromises all security measurements. This user is located in file ‘/db/valid.users’ and has user name ‘****__DO_NOT_REMOVE_THIS_ENTRY__****’ .

Read full story here