Projeqtor Unrestricted File Upload Vulnerability Leading to Remote Code Execution

A critical vulnerability exists in Projeqtor versions through 12.0.2, allowing authenticated users to upload malicious files via the /tool/saveAttachment.php endpoint. The application fails to properly validate or sanitize uploaded file types, enabling the upload of executable PHP files with extensions such as .phar or .php. This flaw can be exploited to execute arbitrary code on the server. The vulnerability is present in instances that are not securely configured, as recommended during installation.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server, with the executed commands running under the web server's user privileges. This could lead to full system control, depending on the server's configuration.

Reproduction

To reproduce this vulnerability, log into Projeqtor v12.0.2 and obtain the PHPSESSID cookie from the authenticated session. Then, send a POST request to /tool/saveAttachment.php with a malicious file, using the PHPSESSID cookie to authenticate the request. After uploading the file, extract the assigned attachment number from the response and use it to access the uploaded file through the URL, which will trigger the execution of the embedded system command.

Remediation

Users are advised to upgrade to Projeqtor version 12.0.3 or later. For instances already upgraded, ensure that the attachment directory is not accessible via the web, as recommended during the initial installation.