ProjectSend Path Traversal Vulnerability in Delete Handler

A path traversal vulnerability has been identified in ProjectSend versions up to r1945. The issue arises in the 'import-orphans.php' file within the Delete Handler component. The vulnerability allows remote exploitation by manipulating the 'files[]' argument, leading to unauthorized deletion of files on the server.

Impact

Exploitation of this vulnerability allows for arbitrary file deletion on the server. This could include critical application files or configuration files, potentially leading to a complete application outage or exposure of sensitive information.

Reproduction

To reproduce this vulnerability, send a POST request to 'import-orphans.php' with the 'action' parameter set to 'delete' and the 'files[]' parameter containing a path traversal sequence (e.g., '../') followed by a target file name. Include a valid session cookie to authenticate as an administrator.

Remediation

It is recommended to add a realpath boundary check before deleting files, ensuring that the resolved path remains within the allowed upload directory. This check should be similar to the existing validation in 'upload.process.php'.