Execution with Unnecessary Privileges in projectsend/projectsend


Reported on

Jul 2nd 2021


create client even when self client registration is disabled


any user can create create client even when self client registration is disabled


1. From admin account goto http://localhost/projectsend2/options.php?section=clients and disabled client registration.
So, self client registration is not possible anymore .
2.Now from another browser goto http://localhost/projectsend2/index.php and here you can see message This server does not allow self registrations. .
Now get csrf-token from this login page http://localhost/projectsend2/index.php and sent bellow request to register a client .\

POST /projectsend2/register.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 171
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/projectsend2/register.php
Cookie: PHPSESSID=6vvp9v5o64e56lqj87duod7jm5
Upgrade-Insecure-Requests: 1


here in this request postdata change csrf_token parameter value to above captured csrf value and this request will create a new client .

So, any external user can create client even when client-registration is disabled

We have contacted a member of the projectsend team and are waiting to hear back 2 years ago
2 years ago


hello, maintainer can you plz validate this report

Ignacio Nelson validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Ignacio Nelson marked this as fixed in r1336 with commit 240d20 a year ago
Ignacio Nelson has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation