CVE-2021-40887 – CVE-2021-40887 is a critical directory traversa... (How to Fix)

Q: What is the severity of CVE-2021-40887?

CVE-2021-40887 has a CVSS score of 9.8 (CRITICAL). CVE-2021-40887 is a critical directory traversal vulnerability in ProjectSend file sharing software that allows attackers to upload arbitrary files to any location on the server. This affects all users running ProjectSend r1295 who have file upload functionality enabled. Attackers can exploit this to upload malicious PHP files and potentially achieve remote code execution.

📋 TL;DR

CVE-2021-40887 is a critical directory traversal vulnerability in ProjectSend file sharing software that allows attackers to upload arbitrary files to any location on the server. This affects all users running ProjectSend r1295 who have file upload functionality enabled. Attackers can exploit this to upload malicious PHP files and potentially achieve remote code execution.

💻 Affected Systems

Products:

ProjectSend

Versions: r1295

Operating Systems: All platforms running ProjectSend

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the default installation when file upload functionality is enabled.

📦 What is this software?

Projectsend by Projectsend

View all CVEs affecting Projectsend →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Unauthorized file upload leading to web shell deployment and limited server compromise.

🟢

If Mitigated

File upload attempts blocked or logged with no successful exploitation.

🌐 Internet-Facing: HIGH - Web applications with file upload functionality are directly exposed to internet-based attacks.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit if they have network access to the application.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only web access to the upload endpoint with directory traversal payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: r1296 and later

Vendor Advisory: https://github.com/projectsend/projectsend/issues/994

Restart Required: No

Instructions:

1. Backup current installation. 2. Download latest version from official repository. 3. Replace vulnerable files with patched version. 4. Verify file permissions are correct.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to reject file paths containing directory traversal sequences

Modify upload handler to sanitize filenames using: preg_replace('/\.\.\//', '', $filename)

Web Application Firewall Rule

all

Block requests containing directory traversal patterns in file upload parameters

WAF rule: Block if ARGS:files[] contains '../'

🧯 If You Can't Patch

Disable file upload functionality completely in ProjectSend configuration
Implement strict file extension whitelisting and store uploaded files outside web root

🔍 How to Verify

Check if Vulnerable:

Check if running ProjectSend version r1295 by examining version files or admin panel

Check Version:

Check /includes/version.php or admin dashboard for version information

Verify Fix Applied:

Test file upload with traversal payloads (e.g., '../../malicious.php') - should be rejected

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to upload endpoints with '../' in parameters
File write operations outside expected upload directory

Network Indicators:

Unusual file upload patterns with traversal sequences
POST requests to /upload/ with abnormal filenames

SIEM Query:

source="web_logs" AND (uri_path="/upload/" OR uri_path="/includes/upload/") AND (http_method="POST") AND (request_body MATCHES "\.\./")

📊 Metadata

CVE ID: CVE-2021-40887

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

Published: October 11, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/projectsend/projectsend/issues/994 Exploit,Third Party Advisory
https://github.com/projectsend/projectsend/issues/994 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40887, you might also want to check these: