header-logo
Suggest Exploit
vendor:
ProjectSend r561
by:
Le Ngoc Phi & ITAS Team
7.5
CVSS
HIGH
SQL Injection
89
CWE
Product Name: ProjectSend r561
Affected Version From: ProjectSend r561
Affected Version To: ProjectSend r561
Patch Exists: NO
Related CWE: N/A
CPE: a:projectsend:projectsend:r561
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2015

ProjectSend r561 – SQL injection vulnerability

ProjectSend r561 is vulnerable to SQL injection. An attacker can exploit this vulnerability to gain access to the database and execute arbitrary SQL commands. The vulnerable code is located in the client-edit.php file, where the user-supplied input is not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL queries in an unsafe manner. All user-supplied input should be validated and filtered before being used in a SQL query.
Source

Exploit-DB raw data:

#Vulnerability title: ProjectSend r561 - SQL injection vulnerability
#Product: ProjectSend r561
#Vendor: http://www.projectsend.org/
#Affected version: ProjectSend r561
#Download link: http://www.projectsend.org/download/67/
#Fixed version: N/A
#Author: Le Ngoc Phi (phi.n.le@itas.vn) & ITAS Team (www.itas.vn)


::PROOF OF CONCEPT::

+ REQUEST:
GET /projectsend/users-edit.php?id=<SQL INJECTION HERE> HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101
Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: 54f8105d859e0_SESSION=q6tjpjjbt53nk1o5tnbv2123456;
PHPSESSID=jec50hu4plibu5p2p6hnvpcut6
Connection: keep-alive


- Vulnerable file: client-edit.php
- Vulnerable parameter: id
- Vulnerable code: 
if (isset($_GET['id'])) {
  $client_id = mysql_real_escape_string($_GET['id']);
  /**
   * Check if the id corresponds to a real client.
   * Return 1 if true, 2 if false.
   **/
  $page_status = (client_exists_id($client_id)) ? 1 : 2;
}
else {
  /**
   * Return 0 if the id is not set.
   */
  $page_status = 0;
}

/**
 * Get the clients information from the database to use on the form.
 */
if ($page_status === 1) {
  $editing = $database->query("SELECT * FROM tbl_users WHERE
id=$client_id");
  while($data = mysql_fetch_array($editing)) {
    $add_client_data_name = $data['name'];
    $add_client_data_user = $data['user'];
    $add_client_data_email = $data['email'];
    $add_client_data_addr = $data['address'];
    $add_client_data_phone = $data['phone'];
    $add_client_data_intcont = $data['contact'];
    if ($data['notify'] == 1) { $add_client_data_notity = 1; }
else { $add_client_data_notity = 0; }
    if ($data['active'] == 1) { $add_client_data_active = 1; }
else { $add_client_data_active = 0; }
  }
}



::DISCLOSURE::
+ 01/06/2015: Detect vulnerability
+ 01/07/2015: Contact to vendor
+ 01/08/2015: Send the detail vulnerability to vendor - vendor did not reply
+ 03/05/2015: Public information

::REFERENCE::
-
http://www.itas.vn/news/itas-team-found-out-a-SQL-Injection-vulnerability-in
-projectsend-r561-76.html


::DISCLAIMER::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY
IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS
A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION
OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS,
AND AT THE USER'S OWN RISK.



Best Regards,
---------------------------------------------------------------------
ITAS Team (www.itas.vn)

Navigation

Suggest Exploit

Services By CQR