CVE-2024-11680
📋 TL;DR
CVE-2024-11680 is an authentication bypass vulnerability in ProjectSend file sharing software. Unauthenticated attackers can modify application configuration via crafted HTTP requests to options.php, potentially creating accounts, uploading webshells, or injecting malicious JavaScript. All ProjectSend installations prior to version r1720 are affected.
💻 Affected Systems
- ProjectSend
📦 What is this software?
Projectsend by Projectsend
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via remote code execution, data theft, and persistent backdoor installation
Likely Case
Unauthorized file uploads, account creation, and potential web shell deployment leading to data exfiltration
If Mitigated
Limited impact with proper network segmentation and web application firewalls blocking malicious requests
🎯 Exploit Status
Metasploit module available; simple HTTP request exploitation with public proof-of-concept
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: r1720
Vendor Advisory: https://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744
Restart Required: No
Instructions:
1. Backup current installation. 2. Download and install ProjectSend r1720 or later. 3. Replace all files with new version. 4. Verify configuration integrity.
🔧 Temporary Workarounds
Block access to options.php
allRestrict access to vulnerable endpoint via web server configuration
# Apache: RewriteRule ^options\.php$ - [F,L]
# Nginx: location ~ /options\.php$ { deny all; }
Implement IP restriction
allRestrict access to ProjectSend administration interface to trusted IPs only
# Apache: Require ip 192.168.1.0/24
# Nginx: allow 192.168.1.0/24; deny all;
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests to options.php with suspicious parameters
- Disable ProjectSend instance and migrate to alternative file sharing solution
🔍 How to Verify
Check if Vulnerable:
Check if version is below r1720 or test with Nuclei template: nuclei -u https://target.com -t projectsend-auth-bypass.yamlCheck Version:
Check includes/version.php or view page source for version informationVerify Fix Applied:
Verify version is r1720 or later and test that options.php endpoint properly validates authentication📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /options.php from unauthenticated users
- Unusual account creation events
- File uploads to unexpected directories
Network Indicators:
- HTTP requests to options.php with configuration parameters from unknown sources
- Outbound connections from ProjectSend server to suspicious IPs
SIEM Query:
source="web_access.log" AND uri="/options.php" AND (method="POST" OR params CONTAINS "config")🔗 References
- https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/projectsend-auth-bypass.yaml
- https://github.com/projectsend/projectsend/commit/193367d937b1a59ed5b68dd4e60bd53317473744
- https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/projectsend_unauth_rce.rb
- https://vulncheck.com/advisories/projectsend-bypass
- https://www.synacktiv.com/sites/default/files/2024-07/synacktiv-projectsend-multiple-vulnerabilities.pdf
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-11680
