SB2015010703 - Multiple vulnerabilities in ProjectSend
Published: January 7, 2015 Updated: November 9, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) SQL injection (CVE-ID: CVE-2015-2564)
The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data passed via the id parameter to users-edit.php. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.
Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in database and gain complete control over the affected application.
2) Cross-site scripting (CVE-ID: CVE-2014-9580)
Vulnerability allows a remote attacker to perform Cross-site scripting attacks.
An input validation error exists in ProjectSend (formerly cFTP) r561 when processing Description field in a file upload. NOTE: this issue was originally incorrectly mapped to CVE-2014-1155; see CVE-2014-1155 for more information. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim's browser in security context of vulnerable website.
Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.
3) Code Injection (CVE-ID: CVE-2014-9567)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
Unrestricted file upload vulnerability in process-upload.php in ProjectSend (formerly cFTP) r100 through r561 allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in the upload/files/ or upload/temp/ directory.
Remediation
Install update from vendor's website.
References
- http://osvdb.org/show/osvdb/119169
- http://packetstormsecurity.com/files/130691/ProjectSend-r561-SQL-Injection.html
- http://seclists.org/fulldisclosure/2015/Mar/30
- http://www.exploit-db.com/exploits/36303
- http://www.itas.vn/news/itas-team-found-out-a-SQL-Injection-vulnerability-in-projectsend-r561-76.html
- http://www.securityfocus.com/archive/1/534832/100/0/threaded
- http://packetstormsecurity.com/files/129666
- http://www.exploit-db.com/exploits/35582
- https://exchange.xforce.ibmcloud.com/vulnerabilities/99550
- http://osvdb.org/show/osvdb/116469
- http://packetstormsecurity.com/files/129759/ProjectSend-Arbitrary-File-Upload.html
- http://www.exploit-db.com/exploits/35424
- http://www.exploit-db.com/exploits/35660
- https://exchange.xforce.ibmcloud.com/vulnerabilities/99548