Multiple vulnerabilities in Ioncube loader-wizard.php
Description
The ionCube Loader Wizard (loader-wizard.php) is a diagnostic and installation tool distributed with ionCube PHP Encoder to help configure the ionCube Loader extension. Versions prior to 2.46 contain multiple security vulnerabilities including information disclosure and directory traversal flaws. This file is intended only for temporary use during installation but is often left accessible on production web servers, creating an exploitable attack surface.
Remediation
Take immediate action to remove the exposure of this vulnerable file:
1. Verify if the file exists: Check your web root and application directories for any instances of loader-wizard.php
2. Remove the file (Recommended): Since this wizard is only needed during initial ionCube Loader installation, delete it from your web server:
rm /path/to/webroot/loader-wizard.php
3. Alternative - Upgrade if needed: If you must keep the file for administrative purposes, upgrade to version 2.46 or later from the official ionCube website, and restrict access using web server configuration:
For Apache (.htaccess or virtualhost config):
<Files "loader-wizard.php">
Require ip 192.168.1.0/24
# Replace with your admin IP range
</Files>For Nginx:
location ~* loader-wizard\.php$ {
allow 192.168.1.0/24;
deny all;
}4. Verify removal: Confirm the file is no longer accessible by attempting to access it through a web browser.