cbcvebase.
CVE-2014-9567
published 2015-01-07

CVE-2014-9567: Unrestricted file upload vulnerability in process-upload.php in ProjectSend (formerly cFTP) r100 through r561 allows remote attackers to execute arbitrary PHP…

PriorityP271high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
43.34%
98.6th percentile
Unrestricted file upload vulnerability in process-upload.php in ProjectSend (formerly cFTP) r100 through r561 allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in the upload/files/ or upload/temp/ directory.

Affected

15 ranges
VendorProductVersion rangeFixed in
projectsendprojectsend
projectsendprojectsend
projectsendprojectsend
projectsendprojectsend
projectsendprojectsend
projectsendprojectsend
projectsendprojectsend
projectsendprojectsend
projectsendprojectsend
projectsendprojectsend
projectsendprojectsend
projectsendprojectsend
projectsendprojectsend
projectsendprojectsend
projectsendprojectsend

Detection & IOCsextracted from sources · hover to see the quote

pathprocess-upload.php
pathupload/files/
pathupload/temp/
urlprocess-upload.php?name=<filename>
commandPOST /process-upload.php?name=<phpfile> multipart/form-data
  • Detect unauthenticated POST requests to process-upload.php with a PHP file extension in the filename parameter (e.g., ?name=*.php), which indicates exploitation of the unrestricted file upload vulnerability.
  • Alert on HTTP GET requests to upload/files/*.php or upload/temp/*.php, which indicate post-upload execution of a malicious PHP webshell.
  • Flag multipart/form-data POST requests to process-upload.php where the uploaded file part has a .php extension in its filename field, as this is the direct attack vector.
  • A 200 response to a GET on process-upload.php (without POST body) can be used as a check step to fingerprint a vulnerable ProjectSend instance prior to exploitation.
  • ·The default TARGETURI for the Metasploit module is '/ProjectSend/', so detection rules scoped to that path prefix may miss instances installed at a different base path.
  • ·The upload destination path differs by revision: r-100 to r-219 write to upload/temp/, while r-221 onwards write to upload/files/. Detection must cover both paths.
  • ·The vulnerability affects ProjectSend revisions r100 through r561; instances outside this range are not affected and should not trigger the same detection logic.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.