ProjeQtOr Project Management File Upload Vulnerability Allowing Remote Code Execution

A file upload vulnerability has been identified in ProjeQtOr Project Management version 9.1.4. This vulnerability allows guest users to upload malicious PHP files that can execute arbitrary code. The issue arises in the profile attachment section, where uploaded files can be accessed and executed via specially crafted request parameters.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where ProjeQtOr is hosted.

Reproduction

To reproduce this vulnerability, log into the ProjeQtOr portal as a guest user. Navigate to the profile section and upload a PHP file disguised as an image through the attachment feature. After the file is uploaded, it can be accessed via a specific URL pattern that includes the attachment number and the '.projeqtor' file extension. Once the file is accessible, it can be exploited by sending a request that includes a command to be executed on the server.