ProjectSend LDAP Injection Vulnerability Allowing User Enumeration

A vulnerability allowing LDAP injection has been identified in ProjectSend versions up to r1945. This issue resides in the file includes/Classes/Auth.php, specifically within the loginLdap() function. The vulnerability arises because the ldap_email parameter is directly inserted into an LDAP search filter without proper sanitization. This flaw enables an attacker to manipulate the filter by adding wildcard characters, creating a response discrepancy that can be exploited for email enumeration. The attack can be executed remotely and does not require authentication.

Impact

Exploitation of this vulnerability allows for unauthorized email enumeration from the LDAP directory, confirming the existence of users based on the application's response.

Reproduction

To reproduce this vulnerability, first ensure that ProjectSend has LDAP authentication enabled and that a reachable LDAP server is configured. The target user must exist in both the LDAP directory and the ProjectSend database. Start by sending a GET request to the index.php page to establish a session and retrieve the CSRF token. Then, send a POST request with the ldap_email parameter set to a non-existent email, along with the csrf_token and a placeholder password. The response will indicate that the email does not exist. After repeating the process with an existing email, the response will confirm the user's existence.

Remediation

It is recommended to sanitize the ldap_email input using ldap_escape() before it is used in the ldap_search() function. However, as of now, there is no official patch or mitigation available.