CVE-2021-47819
📋 TL;DR
CVE-2021-47819 is a critical file upload vulnerability in ProjeQtOr Project Management software that allows guest users to upload malicious PHP files leading to remote code execution. Attackers can upload PHP scripts through the profile attachment feature and execute arbitrary system commands. All organizations using vulnerable versions of ProjeQtOr are affected.
💻 Affected Systems
- ProjeQtOr Project Management
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal sensitive data, install backdoors, pivot to other systems, and potentially take full control of the server.
Likely Case
Attackers upload web shells to gain persistent access, execute commands to exfiltrate database contents, modify project data, or use the server for further attacks.
If Mitigated
With proper file upload restrictions and guest user limitations, impact is reduced to potential denial of service or limited data exposure.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB (ID 49919). Attack requires only guest access and basic web request knowledge.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 9.1.5 or later
Vendor Advisory: https://www.projeqtor.org
Restart Required: No
Instructions:
1. Backup your ProjeQtOr installation and database. 2. Download the latest version from the official website. 3. Replace the existing installation files with the updated version. 4. Verify the upload functionality now properly validates file types.
🔧 Temporary Workarounds
Disable Guest Access
allRemove guest user permissions or disable guest access entirely to prevent unauthenticated exploitation.
Navigate to Administration > Users > Guest user and remove all permissions
File Upload Restrictions
linuxImplement web server-level restrictions to block PHP file uploads in the attachments directory.
For Apache: Add 'php_flag engine off' to .htaccess in upload directory
For Nginx: Add 'location ~ \.php$ { deny all; }' to server block
🧯 If You Can't Patch
- Disable guest user accounts completely and require authentication for all access
- Implement WAF rules to block PHP file uploads and suspicious parameter patterns
🔍 How to Verify
Check if Vulnerable:
Check if you can upload a PHP file as a guest user through the profile attachment feature. Test with a harmless PHP file containing '<?php echo "test"; ?>'.Check Version:
Check the version.txt file in ProjeQtOr root directory or view the footer in the web interfaceVerify Fix Applied:
Attempt to upload a PHP file as guest user - it should be rejected. Verify the uploaded file cannot be executed even if renamed.📡 Detection & Monitoring
Log Indicators:
- PHP file uploads in web server logs
- Unusual file uploads from guest accounts
- Requests to uploaded PHP files with suspicious parameters
Network Indicators:
- POST requests with PHP file uploads to attachment endpoints
- GET requests to uploaded files with command execution parameters
SIEM Query:
source="web_server" AND (uri="*upload*" AND file_extension="php") OR (uri="*.php" AND query="*cmd=*" OR query="*system=*")