CVE-2021-40884
📋 TL;DR
Projectsend r1295 has an authorization bypass vulnerability that allows users with uploader role to download and edit all files in the application. This occurs due to missing authorization checks in the ids parameter in files-edit.php and id parameter in process.php. All Projectsend installations using version r1295 are affected.
💻 Affected Systems
- Projectsend
📦 What is this software?
Projectsend by Projectsend
⚠️ Risk & Real-World Impact
Worst Case
Uploader users can access, modify, and download all sensitive files including confidential documents, personal data, and system files, potentially leading to data breach, data manipulation, or privilege escalation.
Likely Case
Uploader users unintentionally or intentionally access files they shouldn't have permission to view, leading to unauthorized data disclosure and potential compliance violations.
If Mitigated
With proper role-based access controls and network segmentation, impact is limited to unauthorized file access within the uploader's assigned scope.
🎯 Exploit Status
Exploitation requires uploader role credentials. The vulnerability is simple to exploit by manipulating URL parameters.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: r1296 and later
Vendor Advisory: https://github.com/projectsend/projectsend/issues/992
Restart Required: No
Instructions:
1. Backup your Projectsend installation and database. 2. Download the latest version from the official repository. 3. Replace the vulnerable files with patched versions. 4. Verify authorization checks are working.
🔧 Temporary Workarounds
Temporary access restriction
allTemporarily disable uploader accounts or restrict their access until patching
Web server rewrite rule
linuxAdd rules to block direct access to vulnerable PHP files
# Apache .htaccess
RewriteEngine On
RewriteRule ^(files-edit\.php|process\.php)$ - [F]
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Projectsend from sensitive systems
- Enable detailed logging and monitoring for unauthorized file access attempts
🔍 How to Verify
Check if Vulnerable:
Check if running version r1295 by examining version files or admin panel. Test if uploader user can access files-edit.php or process.php with other users' file IDs.Check Version:
Check includes/version.php or admin panel for version numberVerify Fix Applied:
After updating, verify uploader users cannot access or modify files belonging to other users. Test authorization checks in files-edit.php and process.php.📡 Detection & Monitoring
Log Indicators:
- Multiple file download/access attempts from single uploader user
- Access to files-edit.php or process.php with unusual ID parameters
- File access patterns outside normal user behavior
Network Indicators:
- Unusual spikes in file download traffic from uploader accounts
- Requests to files-edit.php with sequential or random ID parameters
SIEM Query:
source="projectsend_logs" AND (uri="/files-edit.php" OR uri="/process.php") AND user_role="uploader" AND file_id NOT IN user_authorized_files