Full Report
This vulnerability was patched in May 2024 but was only allocated a CVE in November after evidence of exploitation
Analysis Summary
# Vulnerability: ProjectSend Improper Authentication Leading to Configuration Modification and Webshell Upload
## CVE Details
- CVE ID: CVE-2024-11680
- CVSS Score: 9.8 (Critical)
- CWE: (Not explicitly listed, but the flaw is rooted in Improper Authentication)
## Affected Systems
- Products: ProjectSend (open-source file-sharing web application)
- Versions: Prior to r1750 (the patched version)
- Configurations: Public-facing instances of ProjectSend.
## Vulnerability Description
The vulnerability is an improper authentication flaw, reported in January 2024, that allows attackers to modify the application's configuration remotely. This is achieved by sending specially crafted HTTP requests to the `options.php` endpoint. Successful exploitation allows the attacker to perform actions such as creating new user accounts, uploading webshells, and embedding malicious JavaScript within the application.
## Exploitation
- Status: Actively exploited in the wild (Observed by VulnCheck in November 2024, noting instances changing landing pages).
- Complexity: Low (Public exploits exist from Synactiv, Project Discovery (Nuclei), and Rapid7 (Metasploit)).
- Attack Vector: Network (Remote exploitation via HTTP requests).
## Impact
- Confidentiality: High (Ability to upload webshells suggests potential for credential theft or data exfiltration).
- Integrity: High (Attackers can modify application configuration and upload arbitrary code/webshells).
- Availability: Medium to High (Possibility of denial of service or persistent compromise via webshells).
## Remediation
### Patches
- The official fix was released in August 2024 within version **r1750**.
### Workarounds
- No specific workarounds were detailed in the provided text, but immediate patching is strongly advised given active exploitation. Limiting external access to `options.php` might offer temporary theoretical protection, but is not confirmed as effective mitigation.
## Detection
- **Indicators of Compromise (IoCs):** Server logs showing abnormal or numerous POST/GET requests to `options.php` with crafted payloads. Attackers observed changing public-facing landing page titles to long, suspicious strings, which could serve as a specific detection marker.
- **Detection Methods and Tools:** Monitoring for suspicious activity targeting `options.php`. Vulnerability scanners (like Nuclei templates or Metasploit modules) can be used to fingerprint vulnerable installations. Low patch adoption rates (only 1% using r1750 as of Nov 26, 2024) suggest widespread susceptibility.
## References
- Vendor Advisory (Patch Release): August 2024 (Version r1750)
- Exploitation Tooling: Nuclei (Project Discovery), Metasploit (Rapid7)
- Intelligence Source: infosecurity-magazine.com/news/exploit-projectsend-critical/ (Defanged)