ITAS Team discovered multiple vulnerabilities in ProjectSend

ITAS Team discovered multiple vulnerabilities in ProjectSend

ITAS Team discovered multiple vulnerabilities in ProjectSend (a self-hosted application) as Blind SQL injection, insecure Direct Object Reference, Privilege Escalation, XSS, …
– The application constructs all or part of an SQL command using externally-influenced input from an frontend component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a backend component.
– The application does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Vulnerability information:
– Vulnerability : Blind SQL injection, Insecure Direct Object Reference,Privilege Escalation, XSS, …
– Vendor : ProjectSend (http://www.projectsend.org/)
– Link download : http://www.projectsend.org/#download
– Affected version: version r514 and maybe previous version
– Fix version: version r561
– Discovered by: Trần Đình Tiến – tien.d.tran@itas.vn và ITAS Security Team

Information disclosure:
– 28/02/2014: Detected vulnerability
– 01/03/2014: Inform the vendor
– 04/03/2014: Vendor confirmed
– 23/04/2014: Vendor releases patch
– 21/10/2014: ITAS Team publishes information

Reference:
https://www.facebook.com/projectsend/posts/694675447255931

Demonstration video

/ Blog / Tags: ,