Critical Authentication Flaw in ProjectSend Exploited by Hackers

November 27, 2024

Hackers have found a way to exploit a critical authentication bypass flaw in ProjectSend, an open-source file-sharing web application. The vulnerability, known as CVE-2024-11680, enables attackers to manipulate HTTP requests to 'options.php', leading to changes in the application's configuration. As a result, they can create unauthorized accounts, plant webshells, and insert malicious JavaScript code.

This flaw was initially fixed on May 16, 2023, but it was not assigned a CVE until recently, leaving users uninformed about the severity of the issue and the importance of applying the security update. The patching progress has been disappointingly slow, with 99% of ProjectSend instances still operating a vulnerable version according to investigations.

ProjectSend is a preferred choice for organizations that favor self-hosted solutions over third-party services like Google Drive and Dropbox. There are approximately 4,000 public-facing ProjectSend instances online, most of which remain vulnerable. The data shows that 55% of the exposed instances are running r1605, released in October 2022, 44% are using an unnamed release from April 2023, and only a mere 1% have updated to r1750, the patched version.

The exploitation of CVE-2024-11680 is not limited to testing. Threat actors have managed to alter system settings to enable user registration, gain unauthorized access, and deploy webshells to retain control over compromised servers. This activity has seen a surge since September 2024, when Metasploit and Nuclei released public exploits for CVE-2024-11680.

The report states, 'VulnCheck noticed that public-facing ProjectSend servers had started to change their landing page titles to long, random-ish strings,' and 'These long and random-ish names are in line with how both Nuclei and Metasploit implement their vulnerability testing logic.' Furthermore, 'Both exploit tools modify the victim's configuration file to alter the sitename (and therefore HTTP title) with a random value.' GreyNoise has identified 121 IPs associated with this activity, indicating a widespread issue rather than an isolated source.

The researchers caution that the webshells are saved in the 'upload/files' directory, with names generated from a POSIX timestamp, the username's SHA1 hash, and the original file name/extension. Direct access to these files through the web server is a telltale sign of active exploitation. Upgrading to ProjectSend version r1750 immediately is vital as attacks are likely already widespread.

Latest News

• Russian APT 'RomCom' Exploits Zero-Day Vulnerabilities in Firefox, Tor
• GhostSpider: New Addition to Salt Typhoon's Malware Toolkit
• Critical Vulnerability in Array Networks SSL VPN Products Exploited by Hackers
• Zyxel Firewalls Exploited in Recent Ransomware Attacks
• Hackers Exploit Avast Anti-Rootkit Driver to Disable Security Defenses