CVE-2023-53980
📋 TL;DR
CVE-2023-53980 is a critical remote code execution vulnerability in ProjectSend r1605 that allows attackers to upload malicious files with disguised extensions. This enables execution of arbitrary commands on the server through the upload.process.php endpoint. All users running ProjectSend r1605 are affected.
💻 Affected Systems
- ProjectSend
📦 What is this software?
Projectsend by Projectsend
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise allowing attackers to execute arbitrary commands, steal data, install backdoors, pivot to other systems, and maintain persistent access.
Likely Case
Attackers upload web shells to gain unauthorized access, execute commands, and potentially compromise the entire server environment.
If Mitigated
With proper file upload validation and extension filtering, the attack would be blocked at the upload stage.
🎯 Exploit Status
Exploit code is publicly available on Exploit-DB (ID: 51238) and requires minimal technical skill to execute.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check ProjectSend website for latest version
Vendor Advisory: https://www.projectsend.org/
Restart Required: No
Instructions:
1. Backup your current ProjectSend installation. 2. Download the latest version from projectsend.org. 3. Replace the vulnerable files with patched versions. 4. Verify the upload.process.php endpoint has proper file extension validation.
🔧 Temporary Workarounds
File Upload Restriction
allImplement strict file extension validation and MIME type checking for uploads
# Modify upload.process.php to validate file extensions
# Add: $allowed_extensions = array('jpg', 'png', 'pdf', 'doc');
# Add: $file_extension = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
# Add: if (!in_array($file_extension, $allowed_extensions)) { die('Invalid file type'); }
Web Server File Execution Prevention
linuxConfigure web server to prevent execution of uploaded files in upload directories
# Apache: Add to .htaccess in upload directory
<FilesMatch "\.(php|php3|php4|php5|phtml|pl|py|jsp|asp|sh|cgi)$">
Order Deny,Allow
Deny from all
</FilesMatch>
# Nginx: Add to server block
location ~* ^/uploads/.*\.(php|php3|php4|php5|phtml|pl|py|jsp|asp|sh|cgi)$ {
deny all;
}
🧯 If You Can't Patch
- Disable file upload functionality completely in ProjectSend configuration
- Implement WAF rules to block requests to upload.process.php with suspicious file extensions
🔍 How to Verify
Check if Vulnerable:
Check if you're running ProjectSend r1605 by examining version files or checking the admin panel. Test by attempting to upload a file with a double extension like 'test.php.jpg'.Check Version:
Check the version.txt file in ProjectSend root directory or view the admin dashboardVerify Fix Applied:
After patching, attempt to upload a file with a malicious extension. The upload should be rejected with proper error messages.📡 Detection & Monitoring
Log Indicators:
- Multiple failed upload attempts with unusual file extensions
- Successful uploads of files with double extensions (e.g., .php.jpg)
- POST requests to upload.process.php with suspicious filenames
Network Indicators:
- HTTP POST requests to /upload.process.php with unusual Content-Type headers
- Uploads of files with executable extensions to the upload endpoint
SIEM Query:
source="web_server" AND (url="/upload.process.php" OR url="*upload*process*") AND (filename="*.php*" OR filename="*.sh*" OR filename="*.py*")