Security vulnerability allows for upload of malicous files without authentification!

[GoogleCodeExporter]

For the second time, my hosting provider has warned me about a supposedly 
malicious php-file that was uploaded into my ProjectSend installation.
I did a web-search on security issues with ProjectSend and came across this 
notice:
http://packetstormsecurity.com/files/129759/projectsend_upload_exec.rb.txt

The security exploit is described as follows, and fits with the problem I am 
facing:

"This Metasploit module exploits a file upload vulnerability in ProjectSend 
revisions 100 to 561. The 'process-upload.php' file allows unauthenticated 
users to upload PHP files resulting in remote code execution as the web server 
user."

The exploit code is provided, which should help with the fix.

Please let me know if or when this security vulnerability is fixed.
Many thanks.

Original issue reported on code.google.com by [email protected] on 27 Jan 2015 at 6:17

[GoogleCodeExporter]

I was also hacked.  Got an email bounce notification that tipped me off to look 
in the upload/files/ folder.  Found two PHP files: wtindex.php and 
n8731157tp.php.  I couldn't tell what they do but I removed them and changed my 
password.  Would like to know of any patch necessary to prevent this.

Original comment by [email protected] on 18 Feb 2015 at 2:41

[GoogleCodeExporter]

The priority on this should be higher. For the second time it's happened to a 
site I run and I have to find a way around or go with a different solution.

Original comment by [email protected] on 19 Feb 2015 at 8:03

[GoogleCodeExporter]

Totally dumb question but I'm guessing that because this exploits the 
process-upload.php file that it circumvents the sys.includes.php file or any of 
the security settings for preventing php files? I have my security settings to 
not allow anything other then a graphics file to the upload folder but assume 
that they are getting around this?

Original comment by [email protected] on 19 Feb 2015 at 9:06

[GoogleCodeExporter]

That is correct, it bypasses the security settings and apparently has been 
around for a while.. For now I've renamed the problem file and prevented the 
upload directory from executing any files.

Original comment by [email protected] on 20 Feb 2015 at 12:55

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

I am not sure what [email protected] means, but I tried to follow his advice. I 
placed a .htaccess file in upload/files/ and turned off PHP execution as 
explained 
https://stackoverflow.com/questions/6368777/how-to-prevent-uploaded-file-from-be
ing-executed . Everything still seems to work, as far as I can see. I hope this 
helps a little, but a real fix would be better. This issue should have a higher 
priority!

Original comment by [email protected] on 20 Feb 2015 at 2:01

[GoogleCodeExporter]

kleemann... thanks for that.  I just added.  Hope it prevents further problems.

Original comment by [email protected] on 20 Feb 2015 at 6:54

[GoogleCodeExporter]

The script would check for process_upload.php, I renamed it to something 
random. It appears to only be referenced in upload-from-computer.php 

It is possible to find out what the newly renamed file is, but that would need 
to regoster and login. While not a fix, makes it more difficult and manual for 
the attacker. 

def check
    res = send_request_cgi(
      'uri' => normalize_uri(target_uri.path, 'process-upload.php')<-----
    )
    if !res
      vprint_error("#{peer} - Connection timed out")
      return Exploit::CheckCode::Unknown
    elsif res.code.to_i == 404
      vprint_error("#{peer} - No process-upload.php found")<--------

Original comment by [email protected] on 20 Feb 2015 at 7:08